fsdev: Fix overrun after readlink() fills buffer completely

readlink() returns the number of bytes written to the buffer, and it doesn't write a terminating null byte. do_readlink() writes it itself. Overruns the buffer when readlink() filled it completely. Fix by reserving space for the null byte when calling readlink(), like we do elsewhere. Signed-off-by: Markus Armbruster <[email protected]> Signed-off-by: Aneesh Kumar K.V <[email protected]>
mslovy · Feb 26, 2014 · d77f777 · d77f777
1 parent d5001cf
commit d77f777
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
@@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec *out_iovec)
     }
     buffer = g_malloc(size);
     v9fs_string_init(&target);
-    retval = readlink(path.data, buffer, size);
+    retval = readlink(path.data, buffer, size - 1);
     if (retval > 0) {
         buffer[retval] = '\0';
         v9fs_string_sprintf(&target, "%s", buffer);