From: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
Date: Tue, 9 Jun 2015 14:07:02 +0000 (+0200)
Subject: rgw/rgw_common.cc: fix char array '\0' termination
X-Git-Tag: v9.1.0~446^2~32
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d3e17825046003b20e1bd893fae196709d581af9;p=ceph.git

rgw/rgw_common.cc: fix char array '\0' termination

Fix for:

CID 1297863 (#1 of 1): Out-of-bounds access (OVERRUN)
 overrun-buffer-arg: Overrunning array secret_key_buf of 41 bytes
  by passing it to a function which accesses it at byte offset 41
  using argument key_buf_size (which evaluates to 41).
CID 1297865 (#1 of 1): Out-of-bounds access (OVERRUN)
 overrun-buffer-arg: Overrunning array secret_key_buf of 41
  bytes by passing it to a function which accesses it at byte
  offset 41 using argument 41.

 gen_rand_base64():
  index_parm: Pointer dest is directly accessed by indexing it
  with size.

Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index bfe97c28ed2f..374e1eabd6d0 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -456,7 +456,7 @@ int gen_rand_base64(CephContext *cct, char *dest, int size) /* size should be th
   }
   tmp_dest[ret] = '\0';
   memcpy(dest, tmp_dest, size);
-  dest[size] = '\0';
+  dest[size-1] = '\0';
 
   return 0;
 }