Static analysis reports that when 'csv' is allocated for 'len' bytes,
writing to csv[len] results in an out of bounds access. Fix this
truncation operation to instead write the NUL terminator to csv[len -
1], which is the last byte of the memory allocated.
Fixes: 3d6cd829ec08 ("cxl/region: Use cxl_filter_walk() to gather create-region
targets")
Cc: Dan Williams <[email protected]>
Signed-off-by: Vishal Verma <[email protected]>
---
cxl/region.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cxl/region.c b/cxl/region.c
index 9a81113..89be9b5 100644
--- a/cxl/region.c
+++ b/cxl/region.c
@@ -156,7 +156,7 @@ static const char *to_csv(int *count, const char **strings)
cursor += snprintf(csv + cursor, len - cursor, "%s%s",
arg, i + 1 < new_count ? "," : "");
if (cursor >= len) {
- csv[len] = 0;
+ csv[len - 1] = 0;
break;
}
}
--
2.39.0
