| commit | 69583490856713f693291b32fc74b6d0f5992b72 | |
| author | Stefan Hajnoczi <stefanha@redhat.com> | |
| Tue, 14 Mar 2017 09:09:22 +0000 (14 17:09 +0800) | ||
| committer | Kevin Wolf <kwolf@redhat.com> | |
| Fri, 17 Mar 2017 11:54:06 +0000 (17 12:54 +0100) | ||
| tree | 01eed1c3f6d1bfd64192f4d7f91616568f053066 | treesnapshot (tar.gz zip) |
| parent | 272d7dee5951f926fad1911f2f072e5915cdcba0 | commitdiff |
file-posix: clean up max_segments buffer termination
The following pattern is unsafe:
char buf[32];
ret = read(fd, buf, sizeof(buf));
...
buf[ret] = 0;
If read(2) returns 32 then a byte beyond the end of the buffer is
zeroed.
In practice this buffer overflow does not occur because the sysfs
max_segments file only contains an unsigned short + '\n'. The string is
always shorter than 32 bytes.
Regardless, avoid this pattern because static analysis tools might
complain and it could lead to real buffer overflows if copy-pasted
elsewhere in the codebase.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
The following pattern is unsafe:
char buf[32];
ret = read(fd, buf, sizeof(buf));
...
buf[ret] = 0;
If read(2) returns 32 then a byte beyond the end of the buffer is
zeroed.
In practice this buffer overflow does not occur because the sysfs
max_segments file only contains an unsigned short + '\n'. The string is
always shorter than 32 bytes.
Regardless, avoid this pattern because static analysis tools might
complain and it could lead to real buffer overflows if copy-pasted
elsewhere in the codebase.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
| block/file-posix.c | diffblobblamehistory |