fsdev: Fix overrun after readlink() fills buffer completely

readlink() returns the number of bytes written to the buffer, and it doesn't write a terminating null byte. do_readlink() writes it itself. Overruns the buffer when readlink() filled it completely. Fix by reserving space for the null byte when calling readlink(), like we do elsewhere. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

fsdev: Fix overrun after readlink() fills buffer completely
readlink() returns the number of bytes written to the buffer, and it doesn't write a terminating null byte. do_readlink() writes it itself. Overruns the buffer when readlink() filled it completely. Fix by reserving space for the null byte when calling readlink(), like we do elsewhere. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
d77f7779 · Markus Armbruster · Aneesh Kumar K.V · d5001cf7 · d77f7779
Commit d77f7779 authored 11 years ago by Markus Armbruster Committed by Aneesh Kumar K.V 11 years ago
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec *out_iovec)
    }
    buffer = g_malloc(size);
    v9fs_string_init(&target);
-    retval = readlink(path.data, buffer, size);
+    retval = readlink(path.data, buffer, size - 1);
    if (retval > 0) {
        buffer[retval] = '\0';
        v9fs_string_sprintf(&target, "%s", buffer);