[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffe
From: |
Aneesh Kumar K.V |
Subject: |
Re: [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely |
Date: |
Wed, 26 Feb 2014 12:25:32 +0530 |
User-agent: |
Notmuch/0.17+7~gc734dd75344e (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) |
Markus Armbruster <address@hidden> writes:
> readlink() returns the number of bytes written to the buffer, and it
> doesn't write a terminating null byte. do_readlink() writes it
> itself. Overruns the buffer when readlink() filled it completely.
>
> Fix by reserving space for the null byte when calling readlink(), like
> we do elsewhere.
>
> Signed-off-by: Markus Armbruster <address@hidden>
applied.
> ---
> fsdev/virtfs-proxy-helper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
> index 713a7b2..bfecb87 100644
> --- a/fsdev/virtfs-proxy-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec
> *out_iovec)
> }
> buffer = g_malloc(size);
> v9fs_string_init(&target);
> - retval = readlink(path.data, buffer, size);
> + retval = readlink(path.data, buffer, size - 1);
> if (retval > 0) {
> buffer[retval] = '\0';
> v9fs_string_sprintf(&target, "%s", buffer);
> --
> 1.8.1.4