瀏覽代碼

Greg Nutt writes:

Attached is a patch for a bug I found in libc/termios/ttyname.c.
Essentially the length of the buffer is calculated incorrectly in a
strncpy call and then the null terminator is placed on the byte after
the buffer.

This probably cause some very strange behavior on my system (it ended up
setting malloc's heapsize to zero) but may be innocuous on other systems.
Eric Andersen 21 年之前
父節點
當前提交
e466854335
共有 1 個文件被更改,包括 2 次插入2 次删除
  1. 2 2
      libc/termios/ttyname.c

+ 2 - 2
libc/termios/ttyname.c

@@ -19,8 +19,8 @@ static int __check_dir_for_tty_match(char * dirname, struct stat *st, char *buf,
     len = strlen(dirname) + 1;
 
     while ((d = readdir(fp)) != 0) {
-	strncpy(buf+len, d->d_name, buflen);
-	buf[buflen]='\0';
+	strncpy(buf+len, d->d_name, buflen-len);
+	buf[buflen-1]='\0';
 #if 0
 	/* Stupid filesystems like cramfs fail to guarantee that
 	 * st_ino and st_dev uniquely identify a file, contrary to