There is potential buffer overrun in kmod_builtin_iter_get_modname() for the name of length PATH_MAX. The required buffer size is PATH_MAX, so `modname[len] = '\0'` with len == PATH_MAX will write right beyond the buffer. Check the length against PATH_MAX - 1. Signed-off-by: Yauheni Kaliuta <ykaliuta@xxxxxxxxxx> --- libkmod/libkmod-builtin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c index a002cb5ee2c6..3d4d77ab29b3 100644 --- a/libkmod/libkmod-builtin.c +++ b/libkmod/libkmod-builtin.c @@ -246,7 +246,7 @@ bool kmod_builtin_iter_get_modname(struct kmod_builtin_iter *iter, len = dot - line; - if (len >= PATH_MAX) { + if (len >= PATH_MAX - 1) { sv_errno = ENAMETOOLONG; goto fail; } -- 2.31.1