namei: fix buffer overflow

 $ ./namei  /usr/bin/java
 *** glibc detected *** ./namei: free(): invalid next size (fast): 0x00000000018e5070 ***
 [...]
 Aborted

Reported-by: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/misc-utils/namei.c b/misc-utils/namei.c
index 37909fe4f7d06015136ea6a2f78ce98e65ae45c3..c259b30f7d0437245ffcb4b683cae60a9c1dd9ff 100644 (file)
--- a/misc-utils/namei.c
+++ b/misc-utils/namei.c
@@ -197,10 +197,11 @@ readlink_to_namei(struct namei *nm, const char *path)
                err(EXIT_FAILURE, _("out of memory?"));
 
        if (*sym != '/') {
+               /* create the absolute path from the relative symlink */
                memcpy(nm->abslink, path, nm->relstart);
                *(nm->abslink + nm->relstart) = '/';
                nm->relstart++;
-               memcpy(nm->abslink + nm->relstart, sym, sz);
+               memcpy(nm->abslink + nm->relstart, sym, sz - nm->relstart);
        } else
                memcpy(nm->abslink, sym, sz);
        nm->abslink[sz] = '\0';