44 lines
1.7 KiB
Diff
44 lines
1.7 KiB
Diff
From c03fbc1a112d3f808512351a62f4c5f593694003 Mon Sep 17 00:00:00 2001
|
|
From: Chris Leech <cleech@redhat.com>
|
|
Date: Wed, 30 Oct 2019 11:29:56 -0700
|
|
Subject: [PATCH 21/43] Out-of-bounds write: Overrunning array link_target
|
|
|
|
---
|
|
usr/sysfs.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/usr/sysfs.c b/usr/sysfs.c
|
|
index b3102f0..2488160 100644
|
|
--- a/usr/sysfs.c
|
|
+++ b/usr/sysfs.c
|
|
@@ -225,7 +225,7 @@ struct sysfs_device *sysfs_device_get(const char *devpath)
|
|
strlcpy(link_path, sysfs_path, sizeof(link_path));
|
|
strlcat(link_path, dev->devpath, sizeof(link_path));
|
|
strlcat(link_path, "/subsystem", sizeof(link_path));
|
|
- len = readlink(link_path, link_target, sizeof(link_target));
|
|
+ len = readlink(link_path, link_target, sizeof(link_target) - 1);
|
|
if (len > 0) {
|
|
/* get subsystem from "subsystem" link */
|
|
link_target[len] = '\0';
|
|
@@ -255,7 +255,7 @@ struct sysfs_device *sysfs_device_get(const char *devpath)
|
|
strlcpy(link_path, sysfs_path, sizeof(link_path));
|
|
strlcat(link_path, dev->devpath, sizeof(link_path));
|
|
strlcat(link_path, "/driver", sizeof(link_path));
|
|
- len = readlink(link_path, link_target, sizeof(link_target));
|
|
+ len = readlink(link_path, link_target, sizeof(link_target) - 1);
|
|
if (len > 0) {
|
|
link_target[len] = '\0';
|
|
dbg("driver link '%s' points to '%s'", link_path, link_target);
|
|
@@ -363,7 +363,7 @@ char *sysfs_attr_get_value(const char *devpath, const char *attr_name)
|
|
int len;
|
|
const char *pos;
|
|
|
|
- len = readlink(path_full, link_target, sizeof(link_target));
|
|
+ len = readlink(path_full, link_target, sizeof(link_target) - 1);
|
|
if (len > 0) {
|
|
link_target[len] = '\0';
|
|
pos = strrchr(link_target, '/');
|
|
--
|
|
2.19.1
|
|
|