Re: [PATCHv2 4/4] mkfs: avoid heap-buffer-read-underrun for zero-length "size" arg
From: Hugo Mills <hidden>
Date: 2012-06-06 19:36:02
On Fri, Apr 20, 2012 at 09:27:26PM +0200, Jim Meyering wrote:
quoted hunk ↗ jump to hunk
From: Jim Meyering <redacted> * mkfs.c (parse_size): ./mkfs.btrfs -A '' would read and possibly write the byte before beginning of strdup'd heap buffer. All other size-accepting options were similarly affected. Reviewed-by: Josef Bacik <redacted> --- cmds-subvolume.c | 2 +- mkfs.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)diff --git a/cmds-subvolume.c b/cmds-subvolume.c index fc749f1..a01c830 100644 --- a/cmds-subvolume.c +++ b/cmds-subvolume.c@@ -380,7 +380,7 @@ static int cmd_snapshot(int argc, char **argv) args.fd = fd; strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX);
^ +1
- args.name[BTRFS_PATH_NAME_MAX-1] = 0; + args.name[BTRFS_SUBVOL_NAME_MAX-1] = 0;
args.name[BTRFS_SUBVOL_NAME_MAX] = 0;
quoted hunk ↗ jump to hunk
res = ioctl(fddst, BTRFS_IOC_SNAP_CREATE_V2, &args); e = errno;diff --git a/mkfs.c b/mkfs.c index 03239fb..4aff2fd 100644 --- a/mkfs.c +++ b/mkfs.c@@ -63,7 +63,7 @@ static u64 parse_size(char *s) s = strdup(s); - if (!isdigit(s[len - 1])) { + if (len && !isdigit(s[len - 1])) {
I think I'd prefer that len is a size_t, not an int here. (Or that len is tested to be >0).
c = tolower(s[len - 1]);
switch (c) {
case 'g':Hugo. -- === Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk === PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- Your problem is that you've got too much taste to be --- a web developer.
Attachments
- signature.asc [application/pgp-signature] 190 bytes