[CRIU] [PATCH 3/9] read_ns_sys_file(): don't overrun buf
Andrew Vagin
avagin at odin.com
Wed Oct 7 04:42:03 PDT 2015
On Wed, Oct 07, 2015 at 02:35:37PM +0300, Andrew Vagin wrote:
> On Wed, Oct 07, 2015 at 02:44:18AM -0700, Kir Kolyshkin wrote:
> > This is a classical off-by-one error. If sizeof(buf) is 512,
> > the last element is buf[511] but not buf[512].
> >
> > Note that if read() returns 0, we return 0 but buf stays
> > uninitialized.
> >
> > Reported by Coverity, CID 114623.
>
> Acked-by: Andrew Vagin <avagin at odin.com>
Nacked
> >
> > Signed-off-by: Kir Kolyshkin <kir at openvz.org>
> > ---
> > net.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/net.c b/net.c
> > index 96f2fcc..08ef865 100644
> > --- a/net.c
> > +++ b/net.c
> > @@ -45,8 +45,8 @@ int read_ns_sys_file(char *path, char *buf, int len)
> > rlen = read(fd, buf, len);
> > close(fd);
> >
> > - if (rlen >= 0)
> > - buf[rlen] = '\0';
> > + if (rlen > 0)
> > + buf[rlen - 1] = '\0';
In this case we overwrite the last symbol
> >
> > return rlen;
> > }
> > --
> > 2.4.3
> >
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list