Without this patch, a symlink pointing to a 4096-byte name
could make this code write NUL into the byte beyond end of buffer:
if ((n = readlink(driver_link, devpath, sizeof devpath - 1)) < 0) {
virReportSystemError(conn, errno,
_("cannot resolve driver link %s"), driver_link);
goto cleanup;
}
devpath[n] = '\0';
>From a075e207bc8fb279c43c9f4f43a960ffbd9a8a70 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@xxxxxxxxxx>
Date: Mon, 14 Dec 2009 12:05:38 +0100
Subject: [PATCH] node_device_driver.c: don't write beyond EOB for 4K-byte symlink
* src/node_device/node_device_driver.c (update_driver_name): Leave
one byte for the trailing NUL we'll append.
---
src/node_device/node_device_driver.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
index f083f16..eda5d5e 100644
--- a/src/node_device/node_device_driver.c
+++ b/src/node_device/node_device_driver.c
@@ -97,7 +97,7 @@ static int update_driver_name(virConnectPtr conn,
goto cleanup;
}
- if ((n = readlink(driver_link, devpath, sizeof devpath)) < 0) {
+ if ((n = readlink(driver_link, devpath, sizeof devpath - 1)) < 0) {
virReportSystemError(conn, errno,
_("cannot resolve driver link %s"), driver_link);
goto cleanup;
--
1.6.6.rc2.275.g51e2d
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list