common/fd.cc: fix possible out-of-bounds write

Read max 'sizeof(target) - 1' to not write out of bound
later on the 'target[r] = 0;' call in case we read the
full PATH_MAX.

CID 1128416 (#1 of 1): Out-of-bounds write (OVERRUN)
 overrun-local: Overrunning array target of 4096 bytes
 at byte offset 4096 using index r (which evaluates to 4096).

Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>

diff --git a/src/common/fd.cc b/src/common/fd.cc
index 547e0f8e27bc37346f775bf628c80bee90ac6166..1154e05d580f7c995ca7657816f14d52b78aa995 100644 (file)
--- a/src/common/fd.cc
+++ b/src/common/fd.cc
@@ -41,7 +41,7 @@ void dump_open_fds(CephContext *cct)
     char path[PATH_MAX];
     snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
     char target[PATH_MAX];
-    ssize_t r = readlink(path, target, sizeof(target));
+    ssize_t r = readlink(path, target, sizeof(target) - 1);
     if (r < 0) {
       r = -errno;
       lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;