Commit fe353178 authored by Thomas Jarosch's avatar Thomas Jarosch Committed by Pekka Enberg

tools, slub: Fix off-by-one buffer corruption after readlink() call

readlink() never zero terminates the provided buffer.
Therefore we already do

    buffer[count] = 0;

This leads to an off-by-one buffer corruption as readlink()
might return the full size of the buffer.

The common technique is to reduce the buffer size by one.
Another fix would be to check

  if (count < 0 || count == sizeof(buffer))
      fatal();

Reducing the buffer size by one is easier IMHO.
Signed-off-by: default avatarThomas Jarosch <thomas.jarosch@intra2net.com>
Acked-by: default avatarDavid Rientjes <rientjes@google.com>
Acked-by: default avatarChristoph Lameter <cl@gentwo.org>
Signed-off-by: default avatarPekka Enberg <penberg@kernel.org>
parent ab067e99
...@@ -1145,7 +1145,7 @@ static void read_slab_dir(void) ...@@ -1145,7 +1145,7 @@ static void read_slab_dir(void)
switch (de->d_type) { switch (de->d_type) {
case DT_LNK: case DT_LNK:
alias->name = strdup(de->d_name); alias->name = strdup(de->d_name);
count = readlink(de->d_name, buffer, sizeof(buffer)); count = readlink(de->d_name, buffer, sizeof(buffer)-1);
if (count < 0) if (count < 0)
fatal("Cannot read symlink %s\n", de->d_name); fatal("Cannot read symlink %s\n", de->d_name);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment