From af49c109e456dcba341b7536549833ab95d80468 Mon Sep 17 00:00:00 2001
From: Edward Hervey <edward@centricular.com>
Date: Mon, 20 Apr 2015 14:20:05 +0200
Subject: [PATCH] shmpipe: Ensure string received from recv() is
 NULL-terminated

We will be doing string operations on it later.

CID #1292830
---
 sys/shm/shmpipe.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/shm/shmpipe.c b/sys/shm/shmpipe.c
index 0d7bf26..de89026 100644
--- a/sys/shm/shmpipe.c
+++ b/sys/shm/shmpipe.c
@@ -669,13 +669,15 @@ sp_client_recv (ShmPipe * self, char **buf)
       assert (cb.payload.new_shm_area.path_size > 0);
       assert (cb.payload.new_shm_area.size > 0);
 
-      area_name = malloc (cb.payload.new_shm_area.path_size);
+      area_name = malloc (cb.payload.new_shm_area.path_size + 1);
       retval = recv (self->main_socket, area_name,
           cb.payload.new_shm_area.path_size, 0);
       if (retval != cb.payload.new_shm_area.path_size) {
         free (area_name);
         return -3;
       }
+      /* Ensure area_name is NULL terminated */
+      area_name[retval] = 0;
 
       newarea = sp_open_shm (area_name, cb.area_id, 0,
           cb.payload.new_shm_area.size);
-- 
2.7.4