sunrpc/cache: fix off-by-one in qword_get()
The qword_get() function NUL-terminates its output buffer. If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:
int qword_get(char **bpp, char *dest, int bufsize)
{
...
while (len < bufsize) {
...
*dest++ = (h << 4) | l;
len++;
}
...
*dest = '\0';
return len;
}
This patch ensures the NUL terminator doesn't fall outside the output
buffer.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
This commit is contained in:
committed by
J. Bruce Fields
parent
18558cae02
commit
b7052cd7bc
+1
-1
@@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
|
||||
if (bp[0] == '\\' && bp[1] == 'x') {
|
||||
/* HEX STRING */
|
||||
bp += 2;
|
||||
while (len < bufsize) {
|
||||
while (len < bufsize - 1) {
|
||||
int h, l;
|
||||
|
||||
h = hex_to_bin(bp[0]);
|
||||
|
||||
Reference in New Issue
Block a user