Commit 69583490 authored Mar 14, 2017 by Stefan Hajnoczi Committed by Kevin Wolf Mar 17, 2017

file-posix: clean up max_segments buffer termination



The following pattern is unsafe:

  char buf[32];
  ret = read(fd, buf, sizeof(buf));
  ...
  buf[ret] = 0;

If read(2) returns 32 then a byte beyond the end of the buffer is
zeroed.

In practice this buffer overflow does not occur because the sysfs
max_segments file only contains an unsigned short + '\n'.  The string is
always shorter than 32 bytes.

Regardless, avoid this pattern because static analysis tools might
complain and it could lead to real buffer overflows if copy-pasted
elsewhere in the codebase.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

parent 272d7dee

block/file-posix.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -686,7 +686,7 @@ static int hdev_get_max_segments(const struct stat *st)
		goto out;
		}
		do {
		ret = read(fd, buf, sizeof(buf));
		ret = read(fd, buf, sizeof(buf) - 1);
		} while (ret == -1 && errno == EINTR);
		if (ret < 0) {
		ret = -errno;