[libvirt] [PATCH] node_device_driver.c: don't write beyond EOB for 4K-byte symlink

Mon Dec 14 11:07:18 UTC 2009

Without this patch, a symlink pointing to a 4096-byte name
could make this code write NUL into the byte beyond end of buffer:

    if ((n = readlink(driver_link, devpath, sizeof devpath - 1)) < 0) {
        virReportSystemError(conn, errno,
                             _("cannot resolve driver link %s"), driver_link);
        goto cleanup;
    }
    devpath[n] = '\0';


>From a075e207bc8fb279c43c9f4f43a960ffbd9a8a70 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Mon, 14 Dec 2009 12:05:38 +0100
Subject: [PATCH] node_device_driver.c: don't write beyond EOB for 4K-byte symlink

* src/node_device/node_device_driver.c (update_driver_name): Leave
one byte for the trailing NUL we'll append.
---
 src/node_device/node_device_driver.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
index f083f16..eda5d5e 100644
--- a/src/node_device/node_device_driver.c
+++ b/src/node_device/node_device_driver.c
@@ -97,7 +97,7 @@ static int update_driver_name(virConnectPtr conn,
         goto cleanup;
     }

-    if ((n = readlink(driver_link, devpath, sizeof devpath)) < 0) {
+    if ((n = readlink(driver_link, devpath, sizeof devpath - 1)) < 0) {
         virReportSystemError(conn, errno,
                              _("cannot resolve driver link %s"), driver_link);
         goto cleanup;
--
1.6.6.rc2.275.g51e2d


