[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-tar] [PATCH] Possible off-by-one in readlink result
From: |
Tobias Stoeckmann |
Subject: |
[Bug-tar] [PATCH] Possible off-by-one in readlink result |
Date: |
Sun, 12 Jul 2015 11:37:27 +0200 |
The target length of a symbolic link is saved in stat.st_size. The
code already adds one byte for a terminating nul that has to be added
manually. But afterwards, readlink get "stat.st_size + 1" as argument.
If the symbolic link in question gets replaced with a longer one between
lstat and readlink, the terminating '\0' will overflow the buffer by
one.
---
src/create.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/create.c b/src/create.c
index 1b08e0b..baf19e2 100644
--- a/src/create.c
+++ b/src/create.c
@@ -1843,7 +1843,7 @@ dump_file0 (struct tar_stat_info *st, char const *name,
char const *p)
if (linklen != st->stat.st_size || linklen + 1 == 0)
xalloc_die ();
buffer = (char *) alloca (linklen + 1);
- size = readlinkat (parentfd, name, buffer, linklen + 1);
+ size = readlinkat (parentfd, name, buffer, linklen);
if (size < 0)
{
file_removed_diag (p, top_level, readlink_diag);
--
2.4.5
- [Bug-tar] [PATCH] Possible off-by-one in readlink result,
Tobias Stoeckmann <=