From: Syed Mohammed Nayyar Date: Sun, 28 Jun 2026 11:22:43 +0000 (+0530) Subject: portable: leave room for trailing NUL in metadata receive buffer X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=778c0e3a6cd25ef19c0c520b2e14311526254bd5;p=thirdparty%2Fsystemd.git portable: leave room for trailing NUL in metadata receive buffer receive_portable_metadata() reads each item into a stack buffer of PATH_MAX + NAME_MAX + 2 bytes, passes the full sizeof() as the recv iovec length, and then NUL-terminates with iov_buffer[n] = 0. recvmsg() can return n equal to the buffer size, so the terminator is written one byte past the end. Grow the buffer by one byte and cap the iovec at sizeof - 1, so a full record is still received and the trailing NUL always fits, matching the coredump-receive.c reader. --- diff --git a/src/portable/portable.c b/src/portable/portable.c index 9d510118be2..f0bdb40fd22 100644 --- a/src/portable/portable.c +++ b/src/portable/portable.c @@ -214,8 +214,8 @@ static int receive_portable_metadata( * but according to suggestions from the SELinux people this will change and it will probably * be identical to NAME_MAX. For now we use that, but this should be updated one day when the * final limit is known. */ - char iov_buffer[PATH_MAX + NAME_MAX + 2]; - struct iovec iov = IOVEC_MAKE(iov_buffer, sizeof(iov_buffer)); + char iov_buffer[PATH_MAX + NAME_MAX + 2 + 1]; /* One extra byte for the trailing NUL we add below. */ + struct iovec iov = IOVEC_MAKE(iov_buffer, sizeof(iov_buffer) - 1); ssize_t n = receive_one_fd_iov(socket_fd, &iov, 1, 0, &fd); if (n == -EIO)