aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Armbruster <armbru@redhat.com>2014-02-26 10:28:36 -0700
committerAlex Williamson <alex.williamson@redhat.com>2014-02-26 10:28:36 -0700
commit13665a2d2f675341e73618fcd7f9d36b6c68b509 (patch)
tree18b0db6388a85905cb0075c45e68c42331c48264
parentd5001cf787ad0514839a81d0f2e771e01e076e21 (diff)
vfio: Fix overrun after readlink() fills buffer completely
readlink() returns the number of bytes written to the buffer, and it doesn't write a terminating null byte. vfio_init() writes it itself. Overruns the buffer when readlink() filled it completely. Fix by treating readlink() filling the buffer completely as error, like we do in pci-assign.c's assign_failed_examine(). Spotted by Coverity. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-rw-r--r--hw/misc/vfio.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 8db182fa3d..e669bbeca1 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -3681,10 +3681,10 @@ static int vfio_initfn(PCIDevice *pdev)
strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1);
- len = readlink(path, iommu_group_path, PATH_MAX);
- if (len <= 0) {
+ len = readlink(path, iommu_group_path, sizeof(path));
+ if (len <= 0 || len >= sizeof(path)) {
error_report("vfio: error no iommu_group for device");
- return -errno;
+ return len < 0 ? -errno : ENAMETOOLONG;
}
iommu_group_path[len] = 0;