This code copies up to the entire size of devbuffer, and then
tries to use "strlen" to null terminate it.
But strlen works by *finding* the null, so it's at best a
no-op, and at worst not properly terminating the string.
Fix this by placing the null at the last byte of the buffer.
Addresses-Coverity-Id: 1297519
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
---
diff --git a/quota/edit.c b/quota/edit.c
index d226e89..a53a7e6 100644
--- a/quota/edit.c
+++ b/quota/edit.c
@@ -385,7 +385,7 @@ restore_file(
while (fgets(buffer, sizeof(buffer), fp) != NULL) {
if (strncmp("fs = ", buffer, 5) == 0) {
dev = strncpy(devbuffer, buffer+5, sizeof(devbuffer));
- dev[strlen(dev) - 1] = '\0';
+ dev[sizeof(devbuffer) - 1] = '\0';
continue;
}
rtbsoft = rtbhard = 0;
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
