From 72893797b41f40cfdf54a578ee9c474c43eaded9 Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Tue, 24 Sep 2024 03:37:03 +0200
Subject: [PATCH] Fix panic in mmap shmem when full_file_name is less than
 MAX_MMAP_FILENAME_LEN (#2536)

* Fix panic in mmap shmem

* duh

* clippy

* fix null bytes

---------

Co-authored-by: Dominik Maier <dmnk@google.com>
---
 libafl_bolts/src/shmem.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libafl_bolts/src/shmem.rs b/libafl_bolts/src/shmem.rs
index 806141bcd6..c34121ab21 100644
--- a/libafl_bolts/src/shmem.rs
+++ b/libafl_bolts/src/shmem.rs
@@ -694,11 +694,13 @@ pub mod unix_shmem {
             /// This will *NOT* automatically delete the shmem files, meaning that it's user's responsibility to delete all `/dev/shm/libafl_*` after fuzzing
             pub fn new(map_size: usize, rand_id: u32) -> Result<Self, Error> {
                 unsafe {
-                    let full_file_name = format!("/libafl_{}_{}", process::id(), rand_id);
+                    let mut full_file_name = format!("/libafl_{}_{}", process::id(), rand_id);
+                    // leave one byte space for the null byte.
+                    full_file_name.truncate(MAX_MMAP_FILENAME_LEN - 1);
                     let mut filename_path = [0_u8; MAX_MMAP_FILENAME_LEN];
-                    filename_path
-                        .copy_from_slice(&full_file_name.as_bytes()[..MAX_MMAP_FILENAME_LEN]);
-                    filename_path[MAX_MMAP_FILENAME_LEN - 1] = 0; // Null terminate!
+                    filename_path[0..full_file_name.len()]
+                        .copy_from_slice(full_file_name.as_bytes());
+                    filename_path[full_file_name.len()] = 0; // Null terminate!
                     log::info!(
                         "{} Creating shmem {} {:#?}",
                         map_size,