Skip to content

Commit

Permalink
tools, slub: Fix off-by-one buffer corruption after readlink() call
Browse files Browse the repository at this point in the history 
readlink() never zero terminates the provided buffer.
Therefore we already do

    buffer[count] = 0;

This leads to an off-by-one buffer corruption as readlink()
might return the full size of the buffer.

The common technique is to reduce the buffer size by one.
Another fix would be to check

  if (count < 0 || count == sizeof(buffer))
      fatal();

Reducing the buffer size by one is easier IMHO.

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Christoph Lameter <cl@gentwo.org>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
  • Loading branch information
Thomas Jarosch authored and Pekka Enberg committed Oct 18, 2011
1 parent ab067e9 commit fe35317
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion tools/slub/slabinfo.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1145,7 +1145,7 @@ static void read_slab_dir(void)
switch (de->d_type) {
case DT_LNK:
alias->name = strdup(de->d_name);
count = readlink(de->d_name, buffer, sizeof(buffer));
count = readlink(de->d_name, buffer, sizeof(buffer)-1);

if (count < 0)
fatal("Cannot read symlink %s\n", de->d_name);
Expand Down

0 comments on commit fe35317

Please sign in to comment.