diff options
author | Markus Armbruster <armbru@redhat.com> | 2014-02-26 10:28:36 -0700 |
---|---|---|
committer | Alex Williamson <alex.williamson@redhat.com> | 2014-02-26 10:28:36 -0700 |
commit | 13665a2d2f675341e73618fcd7f9d36b6c68b509 (patch) | |
tree | 18b0db6388a85905cb0075c45e68c42331c48264 | |
parent | d5001cf787ad0514839a81d0f2e771e01e076e21 (diff) |
vfio: Fix overrun after readlink() fills buffer completely
readlink() returns the number of bytes written to the buffer, and it
doesn't write a terminating null byte. vfio_init() writes it itself.
Overruns the buffer when readlink() filled it completely.
Fix by treating readlink() filling the buffer completely as error,
like we do in pci-assign.c's assign_failed_examine().
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-rw-r--r-- | hw/misc/vfio.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c index 8db182fa3d..e669bbeca1 100644 --- a/hw/misc/vfio.c +++ b/hw/misc/vfio.c @@ -3681,10 +3681,10 @@ static int vfio_initfn(PCIDevice *pdev) strncat(path, "iommu_group", sizeof(path) - strlen(path) - 1); - len = readlink(path, iommu_group_path, PATH_MAX); - if (len <= 0) { + len = readlink(path, iommu_group_path, sizeof(path)); + if (len <= 0 || len >= sizeof(path)) { error_report("vfio: error no iommu_group for device"); - return -errno; + return len < 0 ? -errno : ENAMETOOLONG; } iommu_group_path[len] = 0; |