Thread (8 messages) 8 messages, 2 authors, 2012-06-06

Re: [PATCHv2 3/4] avoid several strncpy-induced buffer overruns

From: Hugo Mills <hidden>
Date: 2012-06-06 19:40:28

On Wed, Jun 06, 2012 at 08:31:47PM +0100, Hugo Mills wrote:
quoted
@@ -378,6 +380,7 @@ static int cmd_snapshot(int argc, char **argv)

 	args.fd = fd;
 	strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX);
+	args.name[BTRFS_PATH_NAME_MAX-1] = 0;
   This, however, is wrong. args here is a struct
btrfs_ioctl_vol_args_v2, and the name field is BTRFS_SUBVOL_NAME_MAX+1
long, so it should be:

-  	strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX);
+  	strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX+1);
+	args.name[BTRFS_SUBVOL_NAME_MAX] = 0;
   Oops, just spotted the v3 with this fix in. Ignore this comment.
(I'm actually using the v3 in integration, but I reviewed the mail
from a different mailbox and got the wrong series...)

   Hugo.

-- 
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
  PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
      --- Your problem is that you've got too much taste to be ---       
                            a web developer.                             

Attachments

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help