Thread (3 messages) 3 messages, 2 authors, 2012-10-26

Re: [BUG][PATCH][BTRFS-PROGS] Bug overflow fix

From: Rock Lee <hidden>
Date: 2012-10-26 03:22:47

Yeah, I will improve the patch to get it better.

Thanks,
- Rock

2012/10/25 David Sterba [off-list ref]:
On Wed, Oct 24, 2012 at 04:24:02PM +0800, Rock Lee wrote:
quoted
If there's is a long name directory exists in the /dev, then an
overflow will hit in function utils.c btrfs_scan_one_dir:1013!

The minimal fix is to use snprintf instead of strcpy.

The reason why not using strncpy is that, if there is no null byte
among the first n bytes of src, the string  placed  in  dest
will not be null - terminated.

---
index 3c88d2e..7200aef 100644
--- a/utils.c
+++ b/utils.c
@@ -969,7 +969,7 @@ int btrfs_scan_one_dir(char *dirname, int run_ioctl)
      pending = malloc(sizeof(*pending));
      if (!pending)
              return -ENOMEM;
-     strcpy(pending->name, dirname);
+     snprintf(pending->name, sizeof(pending->name), "%s", dirname);
pending is defined as

919 struct pending_dir {
920         struct list_head list;
921         char name[256];
922 };

and name is supposed to hold a full path, so it should be of PATH_MAX
(4096) size, 256 is a limit for a single filename.

There's another hardcoded value for a path

971         dirname_len = strlen(pending->name);
972         pathlen = 1024;
^^^
973         fullpath = malloc(pathlen);
974         dirname = pending->name;

that shuld be of PATH_MAX size.

thanks,
david
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help