The target length of a symbolic link is saved in stat.st_size. The
code already adds one byte for a terminating nul that has to be added
manually. But afterwards, readlink get "stat.st_size + 1" as argument.
If the symbolic link in question gets replaced with a longer one between
lstat and readlink, the terminating '\0' will overflow the buffer by
one.
---
src/create.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/create.c b/src/create.c
index 1b08e0b..baf19e2 100644
--- a/src/create.c
+++ b/src/create.c
@@ -1843,7 +1843,7 @@ dump_file0 (struct tar_stat_info *st, char const *name,
char const *p)
if (linklen != st->stat.st_size || linklen + 1 == 0)
xalloc_die ();
buffer = (char *) alloca (linklen + 1);
- size = readlinkat (parentfd, name, buffer, linklen + 1);
+ size = readlinkat (parentfd, name, buffer, linklen);
if (size < 0)
{
file_removed_diag (p, top_level, readlink_diag);
--
2.4.5
