backlight: Avoid buffer overflow in the use of readlink readlink() returns the number of bytes that it has written excluding any NUL byte (since it does not write that itself.) This could lead to attempting to access beyond the end of buffer if the destination of the link is exactly 100 bytes long. The standard solution to this is to subtract one from the buffer when passing it into readlink(). Signed-off-by: Rob Bradford <rob@linux.intel.com>

commit: 273fec8ede2bf1ec7c9fb14e841e383277113fdf [log] [tgz]
author: Rob Bradford <rob@linux.intel.com> Tue Oct 09 18:44:33 2012 +0100
committer: Kristian Høgsberg <krh@bitplanet.net> Tue Oct 09 22:55:07 2012 -0400
tree: 17d1a5d2f3aa191b1edcabb29706396ee1fd5776
parent: ec913fdfdeeeacb04ed0c23584e3598f1817eca3 [diff]
diff --git a/src/libbacklight.c b/src/libbacklight.c
index 37f4bcc..c432c6e 100644
--- a/src/libbacklight.c
+++ b/src/libbacklight.c

@@ -166,7 +166,7 @@
 	if (asprintf(&path, "%s/%s", syspath, "device") < 0)
 		return NULL;
 
-	ret = readlink(path, buffer, sizeof(buffer));
+	ret = readlink(path, buffer, sizeof(buffer) - 1);
 	free(path);
 	if (ret < 0)
 		return NULL;
@@ -248,7 +248,7 @@
 		if (asprintf(&path, "%s/%s", backlight_path, "device") < 0)
 			return NULL;
 
-		ret = readlink(path, buffer, sizeof(buffer));
+		ret = readlink(path, buffer, sizeof(buffer) - 1);
 
 		if (ret < 0)
 			goto out;
commit	273fec8ede2bf1ec7c9fb14e841e383277113fdf	[log] [tgz]
author	Rob Bradford <rob@linux.intel.com>	Tue Oct 09 18:44:33 2012 +0100
committer	Kristian Høgsberg <krh@bitplanet.net>	Tue Oct 09 22:55:07 2012 -0400
tree	17d1a5d2f3aa191b1edcabb29706396ee1fd5776
parent	ec913fdfdeeeacb04ed0c23584e3598f1817eca3 [diff]