From 864e2e22fcd0cba3f5e67680ccabd0302dfda45d Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Tue, 12 Apr 2016 16:30:28 -0700
Subject: Fix overflow in path building

An incorrect size was causing an unsigned value
to wrap, causing it to write past the end of
the buffer.

Bug: 28085658
Change-Id: Ie9625c729cca024d514ba2880ff97209d435a165
---
 sdcard/sdcard.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdcard/sdcard.c b/sdcard/sdcard.c
index 06452aa..123fce6 100644
--- a/sdcard/sdcard.c
+++ b/sdcard/sdcard.c
@@ -337,7 +337,7 @@ static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize
 
     ssize_t pathlen = 0;
     if (node->parent && node->graft_path == NULL) {
-        pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 2);
+        pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 1);
         if (pathlen < 0) {
             return -1;
         }
-- 
cgit v1.1