Markus Armbruster <arm...@redhat.com> writes:
> readlink() returns the number of bytes written to the buffer, and it
> doesn't write a terminating null byte. do_readlink() writes it
> itself. Overruns the buffer when readlink() filled it completely.
>
> Fix by reserving space for the null byte when calling readlink(), like
> we do elsewhere.
>
> Signed-off-by: Markus Armbruster <arm...@redhat.com>
applied.
> ---
> fsdev/virtfs-proxy-helper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
> index 713a7b2..bfecb87 100644
> --- a/fsdev/virtfs-proxy-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec
> *out_iovec)
> }
> buffer = g_malloc(size);
> v9fs_string_init(&target);
> - retval = readlink(path.data, buffer, size);
> + retval = readlink(path.data, buffer, size - 1);
> if (retval > 0) {
> buffer[retval] = '\0';
> v9fs_string_sprintf(&target, "%s", buffer);
> --
> 1.8.1.4
