mkdev: Avoid out of bounds read

readlink() truncates and does not null terminate the string when more
bytes would be written than available. Just increase the char array by
one and assume that there is a problem when all bytes are needed.

Coverity: #1330087, #1329991
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/libblkid-tiny/mkdev.c b/libblkid-tiny/mkdev.c
index a35722b9aedeeef40a30445b1a619438d612e201..e8ce841f3eb7629d17593a31e1cebdcdce7b6d94 100644 (file)
--- a/libblkid-tiny/mkdev.c
+++ b/libblkid-tiny/mkdev.c
@@ -31,7 +31,7 @@
 
 #include <syslog.h>
 
-static char buf[PATH_MAX];
+static char buf[PATH_MAX + 1];
 static char buf2[PATH_MAX];
 static unsigned int mode = 0600;
 
@@ -66,7 +66,7 @@ static void find_devs(bool block)
 
                strcpy(path, dp->d_name);
                len = readlink(buf2, buf, sizeof(buf));
-               if (len <= 0)
+               if (len <= 0 || len == sizeof(buf))
                        continue;
 
                buf[len] = 0;