From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 18:52:23 +0000 (-0700)
Subject: Fix for buffer overflow defect in 'link'.
X-Git-Tag: mdadm-3.1.2~63^2~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a1920f2c26719d825521cfe6a2b78f4ff6eed99;p=thirdparty%2Fmdadm.git

Fix for buffer overflow defect in 'link'.

Potential buffer overflow of 'link' caused by user input may occur,
due to non null-terminated string 'link'.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---

diff --git a/platform-intel.c b/platform-intel.c
index d568ca61..b21ff075 100644
--- a/platform-intel.c
+++ b/platform-intel.c
@@ -57,13 +57,17 @@ struct sys_dev *find_driver_devices(const char *bus, const char *driver)
 	if (!driver_dir)
 		return NULL;
 	for (de = readdir(driver_dir); de; de = readdir(driver_dir)) {
+		int n;
+
 		/* is 'de' a device? check that the 'subsystem' link exists and
 		 * that its target matches 'bus'
 		 */
 		sprintf(path, "/sys/bus/%s/drivers/%s/%s/subsystem",
 			bus, driver, de->d_name);
-		if (readlink(path, link, sizeof(link)) < 0)
+		n = readlink(path, link, sizeof(link));
+		if (n < 0 || n >= sizeof(link))
 			continue;
+		link[n] = '\0';
 		c = strrchr(link, '/');
 		if (!c)
 			continue;