diff options
author | Markus Armbruster <armbru@redhat.com> | 2014-02-21 17:43:09 +0100 |
---|---|---|
committer | Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> | 2014-02-26 12:24:07 +0530 |
commit | d77f7779b4d74354b3444ceb0f93105ced3c26c8 (patch) | |
tree | 29588786a2274c0b4a3099eead1b6c5f5942c351 /fsdev | |
parent | d5001cf787ad0514839a81d0f2e771e01e076e21 (diff) | |
download | qemu-d77f7779b4d74354b3444ceb0f93105ced3c26c8.tar.gz qemu-d77f7779b4d74354b3444ceb0f93105ced3c26c8.tar.bz2 qemu-d77f7779b4d74354b3444ceb0f93105ced3c26c8.zip |
fsdev: Fix overrun after readlink() fills buffer completely
readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte. do_readlink() writes it
itself. Overruns the buffer when readlink() filled it completely.
Fix by reserving space for the null byte when calling readlink(), like
we do elsewhere.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Diffstat (limited to 'fsdev')
-rw-r--r-- | fsdev/virtfs-proxy-helper.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c index 713a7b2b87..bfecb8706c 100644 --- a/fsdev/virtfs-proxy-helper.c +++ b/fsdev/virtfs-proxy-helper.c @@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec *out_iovec) } buffer = g_malloc(size); v9fs_string_init(&target); - retval = readlink(path.data, buffer, size); + retval = readlink(path.data, buffer, size - 1); if (retval > 0) { buffer[retval] = '\0'; v9fs_string_sprintf(&target, "%s", buffer); |