From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47048)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aneesh.kumar@linux.vnet.ibm.com>) id 1WLwVu-0004fy-Mj
	for qemu-devel@nongnu.org; Fri, 07 Mar 2014 10:16:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <aneesh.kumar@linux.vnet.ibm.com>) id 1WLwVl-00053x-OI
	for qemu-devel@nongnu.org; Fri, 07 Mar 2014 10:16:42 -0500
Received: from e28smtp08.in.ibm.com ([122.248.162.8]:36081)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aneesh.kumar@linux.vnet.ibm.com>) id 1WLwVk-000536-TH
	for qemu-devel@nongnu.org; Fri, 07 Mar 2014 10:16:33 -0500
Received: from /spool/local
	by e28smtp08.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <aneesh.kumar@linux.vnet.ibm.com>;
	Fri, 7 Mar 2014 20:46:31 +0530
Received: from d28relay02.in.ibm.com (d28relay02.in.ibm.com [9.184.220.59])
	by d28dlp01.in.ibm.com (Postfix) with ESMTP id 04EC0E0045
	for <qemu-devel@nongnu.org>; Fri,  7 Mar 2014 20:50:11 +0530 (IST)
Received: from d28av03.in.ibm.com (d28av03.in.ibm.com [9.184.220.65])
	by d28relay02.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	s27FGH4k66912410
	for <qemu-devel@nongnu.org>; Fri, 7 Mar 2014 20:46:18 +0530
Received: from d28av03.in.ibm.com (localhost [127.0.0.1])
	by d28av03.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id
	s27FGPAs017169
	for <qemu-devel@nongnu.org>; Fri, 7 Mar 2014 20:46:25 +0530
From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Date: Fri,  7 Mar 2014 20:46:16 +0530
Message-Id: <1394205380-31875-2-git-send-email-aneesh.kumar@linux.vnet.ibm.com>
In-Reply-To: <1394205380-31875-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com>
References: <1394205380-31875-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH 1/5] fsdev: Fix overrun after readlink() fills
	buffer completely
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: anthony@codemonkey.ws, peter.maydell@linaro.org
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>, qemu-devel@nongnu.org, Markus Armbruster <armbru@redhat.com>

From: Markus Armbruster <armbru@redhat.com>

readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte.  do_readlink() writes it
itself.  Overruns the buffer when readlink() filled it completely.

Fix by reserving space for the null byte when calling readlink(), like
we do elsewhere.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fsdev/virtfs-proxy-helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index 713a7b2b87a4..bfecb8706c85 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec *out_iovec)
     }
     buffer = g_malloc(size);
     v9fs_string_init(&target);
-    retval = readlink(path.data, buffer, size);
+    retval = readlink(path.data, buffer, size - 1);
     if (retval > 0) {
         buffer[retval] = '\0';
         v9fs_string_sprintf(&target, "%s", buffer);
-- 
1.8.3.2