[CRIU] [PATCH 2/9] read_fd_link(): don't overrun buf
Andrew Vagin
avagin at odin.com
Wed Oct 7 04:33:47 PDT 2015
On Wed, Oct 07, 2015 at 02:44:17AM -0700, Kir Kolyshkin wrote:
> This is a classical off-by-one error. If sizeof(buf) is 512,
> the last element is buf[511] but not buf[512].
>
> Reported by Coverity, CID 114624, 114622 etc.
>
> Signed-off-by: Kir Kolyshkin <kir at openvz.org>
> ---
> util.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/util.c b/util.c
> index a1ab18b..7694448 100644
> --- a/util.c
> +++ b/util.c
> @@ -467,7 +467,7 @@ int read_fd_link(int lfd, char *buf, size_t size)
if ((size_t)ret == size) {
> pr_err("Buffer for read link of fd %d is too small\n", lfd);
> return -1;
> }
> - buf[ret] = 0;
> + buf[ret - 1] = 0;
here ret is always smaller than size
>
> return ret;
> }
> --
> 2.4.3
>
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list