[Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely
@ 2014-02-21 16:43 Markus Armbruster
  2014-02-26  6:55 ` Aneesh Kumar K.V
  0 siblings, 1 reply; 2+ messages in thread
From: Markus Armbruster @ 2014-02-21 16:43 UTC (permalink / raw)
  To: qemu-devel; +Cc: aneesh.kumar

readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte.  do_readlink() writes it
itself.  Overruns the buffer when readlink() filled it completely.

Fix by reserving space for the null byte when calling readlink(), like
we do elsewhere.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
 fsdev/virtfs-proxy-helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index 713a7b2..bfecb87 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec *out_iovec)
     }
     buffer = g_malloc(size);
     v9fs_string_init(&target);
-    retval = readlink(path.data, buffer, size);
+    retval = readlink(path.data, buffer, size - 1);
     if (retval > 0) {
         buffer[retval] = '\0';
         v9fs_string_sprintf(&target, "%s", buffer);
-- 
1.8.1.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely
  2014-02-21 16:43 [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely Markus Armbruster
@ 2014-02-26  6:55 ` Aneesh Kumar K.V
  0 siblings, 0 replies; 2+ messages in thread
From: Aneesh Kumar K.V @ 2014-02-26  6:55 UTC (permalink / raw)
  To: Markus Armbruster, qemu-devel

Markus Armbruster <armbru@redhat.com> writes:

> readlink() returns the number of bytes written to the buffer, and it
> doesn't write a terminating null byte.  do_readlink() writes it
> itself.  Overruns the buffer when readlink() filled it completely.
>
> Fix by reserving space for the null byte when calling readlink(), like
> we do elsewhere.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>


applied.

> ---
>  fsdev/virtfs-proxy-helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
> index 713a7b2..bfecb87 100644
> --- a/fsdev/virtfs-proxy-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec *out_iovec)
>      }
>      buffer = g_malloc(size);
>      v9fs_string_init(&target);
> -    retval = readlink(path.data, buffer, size);
> +    retval = readlink(path.data, buffer, size - 1);
>      if (retval > 0) {
>          buffer[retval] = '\0';
>          v9fs_string_sprintf(&target, "%s", buffer);
> -- 
> 1.8.1.4

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-02-26  6:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-21 16:43 [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely Markus Armbruster
2014-02-26  6:55 ` Aneesh Kumar K.V

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).