[CRIU] [PATCH 3/9] read_ns_sys_file(): don't overrun buf

Andrew Vagin avagin at odin.com
Wed Oct 7 04:42:03 PDT 2015


On Wed, Oct 07, 2015 at 02:35:37PM +0300, Andrew Vagin wrote:
> On Wed, Oct 07, 2015 at 02:44:18AM -0700, Kir Kolyshkin wrote:
> > This is a classical off-by-one error. If sizeof(buf) is 512,
> > the last element is buf[511] but not buf[512].
> > 
> > Note that if read() returns 0, we return 0 but buf stays
> > uninitialized.
> > 
> > Reported by Coverity, CID 114623.
> 
> Acked-by: Andrew Vagin <avagin at odin.com>

Nacked

> > 
> > Signed-off-by: Kir Kolyshkin <kir at openvz.org>
> > ---
> >  net.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net.c b/net.c
> > index 96f2fcc..08ef865 100644
> > --- a/net.c
> > +++ b/net.c
> > @@ -45,8 +45,8 @@ int read_ns_sys_file(char *path, char *buf, int len)
> >  	rlen = read(fd, buf, len);
> >  	close(fd);
> >  
> > -	if (rlen >= 0)
> > -		buf[rlen] = '\0';
> > +	if (rlen > 0)
> > +		buf[rlen - 1] = '\0';

In this case we overwrite the last symbol
> >  
> >  	return rlen;
> >  }
> > -- 
> > 2.4.3
> > 
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu


More information about the CRIU mailing list