Commit 13665a2d authored Feb 26, 2014 by Markus Armbruster Committed by Alex Williamson Feb 26, 2014

vfio: Fix overrun after readlink() fills buffer completely



readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte.  vfio_init() writes it itself.
Overruns the buffer when readlink() filled it completely.

Fix by treating readlink() filling the buffer completely as error,
like we do in pci-assign.c's assign_failed_examine().

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

parent d5001cf7

hw/misc/vfio.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -3681,10 +3681,10 @@ static int vfio_initfn(PCIDevice *pdev)

		strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);

		len = readlink(path, iommu_group_path, PATH_MAX);
		if (len <= 0) {
		len = readlink(path, iommu_group_path, sizeof(path));
		if (len <= 0 \|\| len >= sizeof(path)) {
		error_report("vfio: error no iommu_group for device");
		return -errno;
		return len < 0 ? -errno : ENAMETOOLONG;
		}

		iommu_group_path[len] = 0;