[nfs] Fix off-by-one heap overflow in nfs_uri_symlink()

The length calculations in nfs_uri_symlink() omitted space for the
NUL terminator, causing strcpy() to write one byte past the heap
allocation.

Signed-off-by: Theodore Riera <warsang@hotmail.com>

diff --git a/src/net/oncrpc/nfs_uri.c b/src/net/oncrpc/nfs_uri.c
index b97fb91f9a9c0a7aa39c20263af73098dda6cd19..1323295668f0db7ba6e0f1fb6683bf0fe34862ba 100644 (file)
--- a/src/net/oncrpc/nfs_uri.c
+++ b/src/net/oncrpc/nfs_uri.c
@@ -97,7 +97,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
                        return -EINVAL;
 
                len = strlen ( uri->lookup_pos ) + strlen ( symlink ) - \
-                     strlen ( uri->mountpoint );
+                     strlen ( uri->mountpoint ) + 1;
                if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
                        return -ENOMEM;
 
@@ -105,7 +105,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
                strcpy ( new_path + strlen ( new_path ), uri->lookup_pos );
 
        } else {
-               len = strlen ( uri->lookup_pos ) + strlen ( symlink );
+               len = strlen ( uri->lookup_pos ) + strlen ( symlink ) + 1;
                if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
                        return -ENOMEM;