From 273fec8ede2bf1ec7c9fb14e841e383277113fdf Mon Sep 17 00:00:00 2001 From: Rob Bradford Date: Tue, 9 Oct 2012 18:44:33 +0100 Subject: [PATCH] backlight: Avoid buffer overflow in the use of readlink readlink() returns the number of bytes that it has written excluding any NUL byte (since it does not write that itself.) This could lead to attempting to access beyond the end of buffer if the destination of the link is exactly 100 bytes long. The standard solution to this is to subtract one from the buffer when passing it into readlink(). Signed-off-by: Rob Bradford --- src/libbacklight.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libbacklight.c b/src/libbacklight.c index 37f4bccf..c432c6e5 100644 --- a/src/libbacklight.c +++ b/src/libbacklight.c @@ -166,7 +166,7 @@ struct backlight *backlight_init(struct udev_device *drm_device, if (asprintf(&path, "%s/%s", syspath, "device") < 0) return NULL; - ret = readlink(path, buffer, sizeof(buffer)); + ret = readlink(path, buffer, sizeof(buffer) - 1); free(path); if (ret < 0) return NULL; @@ -248,7 +248,7 @@ struct backlight *backlight_init(struct udev_device *drm_device, if (asprintf(&path, "%s/%s", backlight_path, "device") < 0) return NULL; - ret = readlink(path, buffer, sizeof(buffer)); + ret = readlink(path, buffer, sizeof(buffer) - 1); if (ret < 0) goto out;