[libvirt] [PATCH] node_device_driver.c: don't write beyond EOB for 4K-byte symlink
Daniel Veillard
veillard at redhat.com
Mon Dec 14 11:24:51 UTC 2009
On Mon, Dec 14, 2009 at 12:07:18PM +0100, Jim Meyering wrote:
> Without this patch, a symlink pointing to a 4096-byte name
> could make this code write NUL into the byte beyond end of buffer:
>
> if ((n = readlink(driver_link, devpath, sizeof devpath - 1)) < 0) {
> virReportSystemError(conn, errno,
> _("cannot resolve driver link %s"), driver_link);
> goto cleanup;
> }
> devpath[n] = '\0';
>
>
> >From a075e207bc8fb279c43c9f4f43a960ffbd9a8a70 Mon Sep 17 00:00:00 2001
> From: Jim Meyering <meyering at redhat.com>
> Date: Mon, 14 Dec 2009 12:05:38 +0100
> Subject: [PATCH] node_device_driver.c: don't write beyond EOB for 4K-byte symlink
>
> * src/node_device/node_device_driver.c (update_driver_name): Leave
> one byte for the trailing NUL we'll append.
> ---
> src/node_device/node_device_driver.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
> index f083f16..eda5d5e 100644
> --- a/src/node_device/node_device_driver.c
> +++ b/src/node_device/node_device_driver.c
> @@ -97,7 +97,7 @@ static int update_driver_name(virConnectPtr conn,
> goto cleanup;
> }
>
> - if ((n = readlink(driver_link, devpath, sizeof devpath)) < 0) {
> + if ((n = readlink(driver_link, devpath, sizeof devpath - 1)) < 0) {
> virReportSystemError(conn, errno,
> _("cannot resolve driver link %s"), driver_link);
> goto cleanup;
Subtle ! ACK,
thanks !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list