tools, slub: Fix off-by-one buffer corruption after readlink() call

readlink() never zero terminates the provided buffer.
Therefore we already do

    buffer[count] = 0;

This leads to an off-by-one buffer corruption as readlink()
might return the full size of the buffer.

The common technique is to reduce the buffer size by one.
Another fix would be to check

  if (count < 0 || count == sizeof(buffer))
      fatal();

Reducing the buffer size by one is easier IMHO.

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Christoph Lameter <cl@gentwo.org>
Signed-off-by: Pekka Enberg <penberg@kernel.org>

diff --git a/tools/slub/slabinfo.c b/tools/slub/slabinfo.c
index 868cc93f7ac23152b20a54aaa1ce3a21f2b4a626..cc1a378f9c06ab4df31fb60eb5b2aa206b23bfa9 100644 (file)
--- a/tools/slub/slabinfo.c
+++ b/tools/slub/slabinfo.c
@@ -1145,7 +1145,7 @@ static void read_slab_dir(void)
                switch (de->d_type) {
                   case DT_LNK:
                        alias->name = strdup(de->d_name);
-                       count = readlink(de->d_name, buffer, sizeof(buffer));
+                       count = readlink(de->d_name, buffer, sizeof(buffer)-1);
 
                        if (count < 0)
                                fatal("Cannot read symlink %s\n", de->d_name);