9p: strlen() doesn't count the terminator

commit 5c4bfa17 upstream. This is an off by one bug because strlen() doesn't count the NULL terminator. We strcpy() addr into a fixed length array of size UNIX_PATH_MAX later on. The addr variable is the name of the device being mounted. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

9p: strlen() doesn't count the terminator
commit 5c4bfa17 upstream. This is an off by one bug because strlen() doesn't count the NULL terminator. We strcpy() addr into a fixed length array of size UNIX_PATH_MAX later on. The addr variable is the name of the device being mounted. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
bc92e1f6 · Dan Carpenter · Greg Kroah-Hartman · 0531e961 · bc92e1f6
Commit bc92e1f6 authored Jul 09, 2010 by Dan Carpenter Committed by Greg Kroah-Hartman Aug 10, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/9p/trans_fd.c net/9p/trans_fd.c +1 -1

No files found.
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
 	csocket = NULL;
-	if (strlen(addr) > UNIX_PATH_MAX) {
+	if (strlen(addr) >= UNIX_PATH_MAX) {
 		P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n",
 			addr);
 		err = -ENAMETOOLONG;