From 56dea476eafa20bf0c034a983be912a646503663 Mon Sep 17 00:00:00 2001 From: "Isaac J. Manjarres" Date: Fri, 18 Apr 2025 14:04:20 -0700 Subject: [PATCH] ANDROID: ashmem_rust: Fix off-by-one errors in get_name() The current logic returns an error if the name of the buffer plus the NUL terminating byte is exactly ASHMEM_NAME_LEN. This is incorrect, as names are expected to have a maximum length of ASHMEM_NAME_LEN, which accounts for the NUL terminating byte Thus, change the error condition to be true if the length of the buffer name plus the NUL terminating byte would be too big to fit in an ASHMEM_NAME_LEN sized region. Also, the buffer name is copied into indices [0 len - 1], so the NUL terminating byte should be at index len, not len + 1. Bug: 411723589 Change-Id: Ie8ecbad7b90848fea529ca7d043489edd952e333 Signed-off-by: Isaac J. Manjarres --- drivers/staging/android/ashmem_rust.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/android/ashmem_rust.rs b/drivers/staging/android/ashmem_rust.rs index ed26b05f0500..ba1ebce05af0 100644 --- a/drivers/staging/android/ashmem_rust.rs +++ b/drivers/staging/android/ashmem_rust.rs @@ -313,13 +313,13 @@ impl Ashmem { let name = asma.name.as_deref().unwrap_or(b"dev/ashmem"); let len = name.len(); let len_with_nul = len + 1; - if local_name.len() <= len_with_nul { + if local_name.len() < len_with_nul { // This shouldn't happen in practice since `set_name` will refuse to store a string // that is too long. return Err(EINVAL); } local_name[..len].copy_from_slice(name); - local_name[len_with_nul] = 0; + local_name[len] = 0; drop(asma); writer.write_slice(&local_name[..len_with_nul])?;