file-posix: clean up max_segments buffer termination

The following pattern is unsafe: char buf[32]; ret = read(fd, buf, sizeof(buf)); ... buf[ret] = 0; If read(2) returns 32 then a byte beyond the end of the buffer is zeroed. In practice this buffer overflow does not occur because the sysfs max_segments file only contains an unsigned short + '\n'. The string is always shorter than 32 bytes. Regardless, avoid this pattern because static analysis tools might complain and it could lead to real buffer overflows if copy-pasted elsewhere in the codebase. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-03-14 17:09:22 +08:00 · 2017-03-14 17:09:22 +08:00 · 6958349085
commit 6958349085
parent 272d7dee59
1 changed files with 1 additions and 1 deletions
--- a/block/file-posix.c
+++ b/block/file-posix.c
@ -686,7 +686,7 @@ static int hdev_get_max_segments(const struct stat *st)
        goto out;
    }
    do {
-        ret = read(fd, buf, sizeof(buf));
+        ret = read(fd, buf, sizeof(buf) - 1);
    } while (ret == -1 && errno == EINTR);
    if (ret < 0) {
        ret = -errno;