xfs
[Top] [All Lists]

[PATCH 5/8] xfs_fsr: guard against path string overflows

To: xfs@xxxxxxxxxxx
Subject: [PATCH 5/8] xfs_fsr: guard against path string overflows
From: Eric Sandeen <sandeen@xxxxxxxxxx>
Date: Sat, 26 Jan 2013 16:40:29 -0600
Cc: Eric Sandeen <sandeen@xxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <1359240032-11576-1-git-send-email-sandeen@xxxxxxxxxx>
References: <1359240032-11576-1-git-send-email-sandeen@xxxxxxxxxx>
gettmpname() and getparent() blindly copy strings
into a target array; be sure we limit the copy to
the size of the target and null terminate it.

I don't see a way to get here with a too-long name,
since most paths try to open or stat the file already,
but it can't hurt to be defensive.

Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
---
 fsr/xfs_fsr.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/fsr/xfs_fsr.c b/fsr/xfs_fsr.c
index 2db2224..843f57d 100644
--- a/fsr/xfs_fsr.c
+++ b/fsr/xfs_fsr.c
@@ -1452,7 +1452,8 @@ gettmpname(char *fname)
 
        sprintf(sbuf, "/.fsr%d", getpid());
 
-       strcpy(buf, fname);
+       strncpy(buf, fname, PATH_MAX);
+       buf[PATH_MAX] = '\0';
        ptr = strrchr(buf, '/');
        if (ptr) {
                *ptr = '\0';
@@ -1476,7 +1477,8 @@ getparent(char *fname)
        static char     buf[PATH_MAX+1];
        char            *ptr;
 
-       strcpy(buf, fname);
+       strncpy(buf, fname, PATH_MAX);
+       buf[PATH_MAX] = '\0';
        ptr = strrchr(buf, '/');
        if (ptr) {
                if (ptr == &buf[0])
-- 
1.7.1

<Prev in Thread] Current Thread [Next in Thread>