From 046c9769fc4eaffc1dd4a21b61c1c5696d537def Mon Sep 17 00:00:00 2001 From: Danny Al-Gaaf Date: Thu, 26 Jun 2014 05:22:02 +0200 Subject: [PATCH] common/fd.cc: fix possible out-of-bounds write Read max 'sizeof(target) - 1' to not write out of bound later on the 'target[r] = 0;' call in case we read the full PATH_MAX. CID 1128416 (#1 of 1): Out-of-bounds write (OVERRUN) overrun-local: Overrunning array target of 4096 bytes at byte offset 4096 using index r (which evaluates to 4096). Signed-off-by: Danny Al-Gaaf --- src/common/fd.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/fd.cc b/src/common/fd.cc index 547e0f8e27bc3..1154e05d580f7 100644 --- a/src/common/fd.cc +++ b/src/common/fd.cc @@ -41,7 +41,7 @@ void dump_open_fds(CephContext *cct) char path[PATH_MAX]; snprintf(path, sizeof(path), "%s/%s", fn, de.d_name); char target[PATH_MAX]; - ssize_t r = readlink(path, target, sizeof(target)); + ssize_t r = readlink(path, target, sizeof(target) - 1); if (r < 0) { r = -errno; lderr(cct) << "dump_open_fds unable to readlink " << path << ": " << cpp_strerror(r) << dendl; -- 2.39.5