[nfs] Fix off-by-one heap overflow in nfs_uri_symlink()

The length calculations in nfs_uri_symlink() omitted space for the
NUL terminator, causing strcpy() to write one byte past the heap
allocation.

Signed-off-by: Theodore Riera <warsang@hotmail.com>
This commit is contained in:
Theodore Riera
2026-06-04 12:15:12 +01:00
committed by Michael Brown
parent e0a2ca984f
commit ce6ad2be02
+2 -2
View File
@@ -97,7 +97,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
return -EINVAL; return -EINVAL;
len = strlen ( uri->lookup_pos ) + strlen ( symlink ) - \ len = strlen ( uri->lookup_pos ) + strlen ( symlink ) - \
strlen ( uri->mountpoint ); strlen ( uri->mountpoint ) + 1;
if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) ) if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
return -ENOMEM; return -ENOMEM;
@@ -105,7 +105,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
strcpy ( new_path + strlen ( new_path ), uri->lookup_pos ); strcpy ( new_path + strlen ( new_path ), uri->lookup_pos );
} else { } else {
len = strlen ( uri->lookup_pos ) + strlen ( symlink ); len = strlen ( uri->lookup_pos ) + strlen ( symlink ) + 1;
if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) ) if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
return -ENOMEM; return -ENOMEM;