From: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
Date: Thu, 26 Jun 2014 03:22:02 +0000 (+0200)
Subject: common/fd.cc: fix possible out-of-bounds write
X-Git-Tag: v0.83~32^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=046c9769fc4eaffc1dd4a21b61c1c5696d537def;p=ceph.git

common/fd.cc: fix possible out-of-bounds write

Read max 'sizeof(target) - 1' to not write out of bound
later on the 'target[r] = 0;' call in case we read the
full PATH_MAX.

CID 1128416 (#1 of 1): Out-of-bounds write (OVERRUN)
 overrun-local: Overrunning array target of 4096 bytes
 at byte offset 4096 using index r (which evaluates to 4096).

Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
---

diff --git a/src/common/fd.cc b/src/common/fd.cc
index 547e0f8e27bc3..1154e05d580f7 100644
--- a/src/common/fd.cc
+++ b/src/common/fd.cc
@@ -41,7 +41,7 @@ void dump_open_fds(CephContext *cct)
     char path[PATH_MAX];
     snprintf(path, sizeof(path), "%s/%s", fn, de.d_name);
     char target[PATH_MAX];
-    ssize_t r = readlink(path, target, sizeof(target));
+    ssize_t r = readlink(path, target, sizeof(target) - 1);
     if (r < 0) {
       r = -errno;
       lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl;