From d1729bed6b741cc6112e4da72c3bae286bbb9f7c Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] 0042-proc/slab.h: Fix off-by-one overflow in sscanf().

In proc/slab.c, functions parse_slabinfo20() and parse_slabinfo11(),
sscanf() might overflow curr->name, because "String input conversions
store a terminating null byte ('\0') to mark the end of the input; the
maximum field width does not include this terminator."

Add one byte to name[] for this terminator.

---------------------------- adapted for newlib branch
. file is now proc/slabinfo.c (not .h)
. manifest constant renamed SLABINFO_NAME_LEN
. older parse_slabinfo11() function no longer present

Signed-off-by: Jim Warner <james.warner@comcast.net>
---
 proc/slabinfo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proc/slabinfo.c b/proc/slabinfo.c
index ba0219c4..966cf7d3 100644
--- a/proc/slabinfo.c
+++ b/proc/slabinfo.c
@@ -76,7 +76,7 @@ struct slabs_summ {
 };
 
 struct slabs_node {
-    char name[SLABINFO_NAME_LEN];    // name of this cache
+    char name[SLABINFO_NAME_LEN+1];  // name of this cache
     unsigned long cache_size;        // size of entire cache
     unsigned int  nr_objs;           // number of objects in this cache
     unsigned int  nr_active_objs;    // number of active objects