Commit b7052cd7 authored by Stefan Hajnoczi's avatar Stefan Hajnoczi Committed by J. Bruce Fields

sunrpc/cache: fix off-by-one in qword_get()

The qword_get() function NUL-terminates its output buffer.  If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:

  int qword_get(char **bpp, char *dest, int bufsize)
  {
      ...
      while (len < bufsize) {
          ...
          *dest++ = (h << 4) | l;
          len++;
      }
      ...
      *dest = '\0';
      return len;
  }

This patch ensures the NUL terminator doesn't fall outside the output
buffer.
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
parent 18558cae
...@@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize) ...@@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
if (bp[0] == '\\' && bp[1] == 'x') { if (bp[0] == '\\' && bp[1] == 'x') {
/* HEX STRING */ /* HEX STRING */
bp += 2; bp += 2;
while (len < bufsize) { while (len < bufsize - 1) {
int h, l; int h, l;
h = hex_to_bin(bp[0]); h = hex_to_bin(bp[0]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment