...
If len is equal to sizeof(buf), the null terminator will be written one byte past the end of buf.
| Code Block | ||
|---|---|---|
| ||
enum { BUFFERSIZE = 256 }; char buf[BUFFERSIZE256]; ssize_t len = readlink("/usr/bin/perl", buf, sizeof(buf)); buf[len] = '\0'; |
...
| Code Block | ||
|---|---|---|
| ||
char buf[PATH_MAX+1];
ssize_t len = readlink("/usr/bin/perl", buf, sizeof(buf));
buf[len] = '\0';
|
This "fix" modification incorrectly assumes that PATH_MAX represents the longest possible path for a file in the filesystem. (PATH_MAX only bounds the longest possible relative path that can be passed to the kernel in a single call.) On most Unix and Linux systems, there is no easily-determined maximum length for a file path, and so the off-by-one buffer overflow risk is still present.
...