diff options
author | Daniel Golle <daniel@makrotopia.org> | 2021-05-12 17:07:28 +0100 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2021-05-16 00:28:11 +0100 |
commit | d47909ea1e5f32cfc9f756a04edc052717c98ae6 (patch) | |
tree | 8168ec79828109aeb216563c353ad2ae9b02d0fa | |
parent | 6d8450e9ffac42fca34df8972c5379821bf65eff (diff) | |
download | fstools-d47909ea1e5f32cfc9f756a04edc052717c98ae6.tar.gz |
libblkid-tiny: fix buffer overflow
Copying device name into a fixed-length buffer is problematic as
the name can be longer than the buffer, resulting in subsequent fields
getting corrupted and potentially even worse things.
Drop strcpy of device name and use of the copied value as it is known
anyway.
Before this fix:
/dev/mapper/owrt--volumes--e093cc66-rw_test: UUID="c66-rw_test" LABEL="test" VERSION="1.14" TYPE="f2fs"
After this fix:
/dev/mapper/owrt--volumes--e093cc66-rw_test: UUID="5eda3e52-3427-493a-a6d6-ffdb5a5836fd" LABEL="test" VERSION="1.14" TYPE="f2fs"
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
-rw-r--r-- | libblkid-tiny/libblkid-tiny.c | 1 | ||||
-rw-r--r-- | probe.c | 6 |
2 files changed, 2 insertions, 5 deletions
diff --git a/libblkid-tiny/libblkid-tiny.c b/libblkid-tiny/libblkid-tiny.c index 52470ca..18db4ef 100644 --- a/libblkid-tiny/libblkid-tiny.c +++ b/libblkid-tiny/libblkid-tiny.c @@ -226,7 +226,6 @@ int probe_block(char *block, struct blkid_struct_probe *pr) DEBUG("probing %s\n", idinfos[i]->name); pr->err = idinfos[i]->probefunc(pr, mag); pr->id = idinfos[i]; - strcpy(pr->dev, block); if (!pr->err) break; } @@ -31,16 +31,14 @@ probe_path_tiny(const char *path) if (probe_block((char *)path, pr) == 0 && pr->id && !pr->err) { info = calloc_a(sizeof(*info), &type, strlen(pr->id->name) + 1, - &dev, strlen(pr->dev) + 1, + &dev, strlen(path) + 1, &uuid, strlen(pr->uuid) + 1, &label, strlen(pr->label) + 1, &version, strlen(pr->version) + 1); if (info) { info->type = strcpy(type, pr->id->name); - - if (pr->dev[0]) - info->dev = strcpy(dev, pr->dev); + info->dev = strcpy(dev, path); if (pr->uuid[0]) info->uuid = strcpy(uuid, pr->uuid); |