From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38179) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGtC3-0005iK-O8 for qemu-devel@nongnu.org; Fri, 21 Feb 2014 11:43:25 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WGtBx-0002zm-My for qemu-devel@nongnu.org; Fri, 21 Feb 2014 11:43:19 -0500 Received: from mx1.redhat.com ([209.132.183.28]:38598) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WGtBx-0002zf-F2 for qemu-devel@nongnu.org; Fri, 21 Feb 2014 11:43:13 -0500 From: Markus Armbruster Date: Fri, 21 Feb 2014 17:43:09 +0100 Message-Id: <1393000989-8502-1-git-send-email-armbru@redhat.com> Subject: [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: aneesh.kumar@linux.vnet.ibm.com readlink() returns the number of bytes written to the buffer, and it doesn't write a terminating null byte. do_readlink() writes it itself. Overruns the buffer when readlink() filled it completely. Fix by reserving space for the null byte when calling readlink(), like we do elsewhere. Signed-off-by: Markus Armbruster --- fsdev/virtfs-proxy-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c index 713a7b2..bfecb87 100644 --- a/fsdev/virtfs-proxy-helper.c +++ b/fsdev/virtfs-proxy-helper.c @@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec *out_iovec) } buffer = g_malloc(size); v9fs_string_init(&target); - retval = readlink(path.data, buffer, size); + retval = readlink(path.data, buffer, size - 1); if (retval > 0) { buffer[retval] = '\0'; v9fs_string_sprintf(&target, "%s", buffer); -- 1.8.1.4