From: David van Moolenbroek Date: Sat, 29 Aug 2009 08:22:50 +0000 (+0000) Subject: VFS: fetch_name() buffer underflow (reported by John Peace, bug #305) X-Git-Tag: v3.1.5~171 X-Git-Url: http://zhaoyanbai.com/repos/%22http:/www.isc.org/icons/zpipe.c?a=commitdiff_plain;h=42f0bf7dda713f1447f2369b2f925ade7266d16d;p=minix.git VFS: fetch_name() buffer underflow (reported by John Peace, bug #305) --- diff --git a/servers/vfs/utility.c b/servers/vfs/utility.c index 6427bbaba..81b3651e2 100644 --- a/servers/vfs/utility.c +++ b/servers/vfs/utility.c @@ -34,7 +34,7 @@ int flag; /* M3 means path may be in message */ * If it is not, go copy it from user space. */ register char *rpu, *rpm; - int r; + int r, count; if (len > PATH_MAX) { #if 0 @@ -61,7 +61,8 @@ int flag; /* M3 means path may be in message */ /* Just copy the path from the message to 'user_fullpath'. */ rpu = &user_fullpath[0]; rpm = m_in.pathname; /* contained in input message */ - do { *rpu++ = *rpm++; } while (--len); + count = len; + do { *rpu++ = *rpm++; } while (--count); r = OK; } else { /* String is not contained in the message. Get it from user space. */