Artur Wojcik: Fix for buffer overflow defect in 'link'.

[Martin F. Krafft]

Module: mdadm
Branch: upstream
Commit: 5a1920f2c26719d825521cfe6a2b78f4ff6eed99
URL:    http://git.debian.org/?p=pkg-mdadm/mdadm.git;a=commit;h=5a1920f2c26719d825521cfe6a2b78f4ff6eed99

Author: Artur Wojcik <artur.wojcik at intel.com>
Date:   Thu Dec 10 11:52:23 2009 -0700

Fix for buffer overflow defect in 'link'.

Potential buffer overflow of 'link' caused by user input may occur,
due to non null-terminated string 'link'.

Signed-off-by: Artur Wojcik <artur.wojcik at intel.com>
Signed-off-by: Dan Williams <dan.j.williams at intel.com>

---

 platform-intel.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/platform-intel.c b/platform-intel.c
index d568ca6..b21ff07 100644
--- a/platform-intel.c
+++ b/platform-intel.c
@@ -57,13 +57,17 @@ struct sys_dev *find_driver_devices(const char *bus, const char *driver)
 	if (!driver_dir)
 		return NULL;
 	for (de = readdir(driver_dir); de; de = readdir(driver_dir)) {
+		int n;
+
 		/* is 'de' a device? check that the 'subsystem' link exists and
 		 * that its target matches 'bus'
 		 */
 		sprintf(path, "/sys/bus/%s/drivers/%s/%s/subsystem",
 			bus, driver, de->d_name);
-		if (readlink(path, link, sizeof(link)) < 0)
+		n = readlink(path, link, sizeof(link));
+		if (n < 0 || n >= sizeof(link))
 			continue;
+		link[n] = '\0';
 		c = strrchr(link, '/');
 		if (!c)
 			continue;