Fix for buffer overflow defect in 'link'.

Potential buffer overflow of 'link' caused by user input may occur, due to non null-terminated string 'link'. Signed-off-by: Artur Wojcik <artur.wojcik@intel.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
author: Artur Wojcik <artur.wojcik@intel.com> 2009-12-10 19:52:23 +0100
committer: Dan Williams <dan.j.williams@intel.com> 2009-12-10 19:52:23 +0100
commit: 5a1920f2c26719d825521cfe6a2b78f4ff6eed99 (patch)
tree: 6da405a876061da284584b29c59db2474ee39753 /platform-intel.c
parent: Grow: avoid truncation error when checking size of array. (diff)
download: mdadm-5a1920f2c26719d825521cfe6a2b78f4ff6eed99.tar.xz
mdadm-5a1920f2c26719d825521cfe6a2b78f4ff6eed99.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/platform-intel.c b/platform-intel.c
index d568ca61..b21ff075 100644
--- a/platform-intel.c
+++ b/platform-intel.c
@@ -57,13 +57,17 @@ struct sys_dev *find_driver_devices(const char *bus, const char *driver)
 	if (!driver_dir)
 		return NULL;
 	for (de = readdir(driver_dir); de; de = readdir(driver_dir)) {
+		int n;
+
 		/* is 'de' a device? check that the 'subsystem' link exists and
 		 * that its target matches 'bus'
 		 */
 		sprintf(path, "/sys/bus/%s/drivers/%s/%s/subsystem",
 			bus, driver, de->d_name);
-		if (readlink(path, link, sizeof(link)) < 0)
+		n = readlink(path, link, sizeof(link));
+		if (n < 0 || n >= sizeof(link))
 			continue;
+		link[n] = '\0';
 		c = strrchr(link, '/');
 		if (!c)
 			continue;
author	Artur Wojcik <artur.wojcik@intel.com>	2009-12-10 19:52:23 +0100
committer	Dan Williams <dan.j.williams@intel.com>	2009-12-10 19:52:23 +0100
commit	5a1920f2c26719d825521cfe6a2b78f4ff6eed99 (patch)
tree	6da405a876061da284584b29c59db2474ee39753 /platform-intel.c
parent	Grow: avoid truncation error when checking size of array. (diff)
download	mdadm-5a1920f2c26719d825521cfe6a2b78f4ff6eed99.tar.xz mdadm-5a1920f2c26719d825521cfe6a2b78f4ff6eed99.zip