aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Hajnoczi <stefanha@redhat.com>2017-03-14 17:09:22 +0800
committerKevin Wolf <kwolf@redhat.com>2017-03-17 12:54:06 +0100
commit69583490856713f693291b32fc74b6d0f5992b72 (patch)
tree01eed1c3f6d1bfd64192f4d7f91616568f053066
parent272d7dee5951f926fad1911f2f072e5915cdcba0 (diff)
downloadqemu-arm-69583490856713f693291b32fc74b6d0f5992b72.tar.gz
file-posix: clean up max_segments buffer termination
The following pattern is unsafe: char buf[32]; ret = read(fd, buf, sizeof(buf)); ... buf[ret] = 0; If read(2) returns 32 then a byte beyond the end of the buffer is zeroed. In practice this buffer overflow does not occur because the sysfs max_segments file only contains an unsigned short + '\n'. The string is always shorter than 32 bytes. Regardless, avoid this pattern because static analysis tools might complain and it could lead to real buffer overflows if copy-pasted elsewhere in the codebase. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-rw-r--r--block/file-posix.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/block/file-posix.c b/block/file-posix.c
index c4c06637ef..ac6bd9fae8 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -686,7 +686,7 @@ static int hdev_get_max_segments(const struct stat *st)
goto out;
}
do {
- ret = read(fd, buf, sizeof(buf));
+ ret = read(fd, buf, sizeof(buf) - 1);
} while (ret == -1 && errno == EINTR);
if (ret < 0) {
ret = -errno;