diff options
| author | ngie <ngie@FreeBSD.org> | 2016-06-10 14:08:41 +0000 |
|---|---|---|
| committer | ngie <ngie@FreeBSD.org> | 2016-06-10 14:08:41 +0000 |
| commit | f316eb23ef8ccdc71ef76c2ed1f9cf0e8fde1a94 (patch) | |
| tree | 481e96ad23c58ef94098d92dc4eef4b1526a936b /sbin | |
| parent | 44074e3ef1e88b7ee813efa2b4657ef5e3e16817 (diff) | |
| download | FreeBSD-src-f316eb23ef8ccdc71ef76c2ed1f9cf0e8fde1a94.zip FreeBSD-src-f316eb23ef8ccdc71ef76c2ed1f9cf0e8fde1a94.tar.gz | |
MFC r299460:
r299460 (by cem):
fsck_ffs: Don't overrun mount device buffer
Maybe this case is impossible. Either way, when attempting to "/dev/"-prefix a
non-global device name, check that we do not overrun the f_mntfromname buffer.
In this case, truncating (with strlcpy or similar) would not be useful, since
the f_mntfromname result of getmntpt() is passed directly to open(2) later.
CID: 1006789
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/fsck_ffs/main.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sbin/fsck_ffs/main.c b/sbin/fsck_ffs/main.c index 08c7745..c5b3b7a 100644 --- a/sbin/fsck_ffs/main.c +++ b/sbin/fsck_ffs/main.c @@ -644,6 +644,9 @@ getmntpt(const char *name) statfsp = &mntbuf[i]; ddevname = statfsp->f_mntfromname; if (*ddevname != '/') { + if (strlen(_PATH_DEV) + strlen(ddevname) + 1 > + sizeof(statfsp->f_mntfromname)) + continue; strcpy(device, _PATH_DEV); strcat(device, ddevname); strcpy(statfsp->f_mntfromname, device); |
