From: Lionel Sambuc Date: Tue, 19 Nov 2013 14:26:47 +0000 (+0100) Subject: libc/sys-minix/mount.c: fix overflow X-Git-Tag: v3.3.0~503 X-Git-Url: http://zhaoyanbai.com/repos/%22../static/icons/zlib_tech.html?a=commitdiff_plain;h=a00e322bea19582f58a947992ead5bf49ab9caae;p=minix.git libc/sys-minix/mount.c: fix overflow Fix a bug where a filesystem label could overflow the reserved buffer. This was already possible with 32 bits values, but is more proeminent with dev_t being 64 bits. Change-Id: Idc04ed355d1dd92b7a8ce4699de832661a5c4ccd --- diff --git a/include/minix/mount.h b/include/minix/mount.h index 3188694ee..bd9dc8c09 100644 --- a/include/minix/mount.h +++ b/include/minix/mount.h @@ -9,6 +9,8 @@ #define MS_REUSE 0x001 /* Tell RS to try reusing binary from memory */ #define MS_EXISTING 0x002 /* Tell mount to use already running server */ +#define MNT_LABEL_LEN 16 /* Length of fs label including nul */ + /* Legacy definitions. */ #define MNTNAMELEN 16 /* Length of fs type name including nul */ #define MNTFLAGLEN 64 /* Length of flags string including nul */ diff --git a/lib/libc/sys-minix/mount.c b/lib/libc/sys-minix/mount.c index e9609f92b..1224e2717 100644 --- a/lib/libc/sys-minix/mount.c +++ b/lib/libc/sys-minix/mount.c @@ -39,7 +39,7 @@ int mountflags, srvflags; int r; message m; struct stat statbuf; - char label[16]; + char label[MNT_LABEL_LEN]; char path[PATH_MAX]; char cmd[200]; char *p; @@ -75,24 +75,24 @@ int mountflags, srvflags; errno = EINVAL; return -1; } - sprintf(label, "fs_%.12s", p); + snprintf(label, MNT_LABEL_LEN, "fs_%.12s", p); } else { /* check for a rslabel option in the arguments and try to use * that. */ rslabel = find_rslabel(args); if (rslabel != NULL){ - snprintf(label,16,"%s",rslabel); + snprintf(label, MNT_LABEL_LEN, "%s", rslabel); free(rslabel); } else { if (stat(name, &statbuf) < 0) return -1; - sprintf(label, "fs_%04x%llx", statbuf.st_dev, statbuf.st_ino); + snprintf(label, MNT_LABEL_LEN, "fs_%llx_%llx", statbuf.st_dev, statbuf.st_ino); } } } else { /* label to long? */ - if (strlen(type) < 16) { - sprintf(label, "%s", type); + if (strlen(type) < MNT_LABEL_LEN) { + snprintf(label, MNT_LABEL_LEN, "%s", type); } else { errno = ENOMEM; return -1; @@ -174,7 +174,7 @@ int umount(name, srvflags) const char *name; int srvflags; { - char label[16]; + char label[MNT_LABEL_LEN]; message m; int r;