From f316eb23ef8ccdc71ef76c2ed1f9cf0e8fde1a94 Mon Sep 17 00:00:00 2001 From: ngie Date: Fri, 10 Jun 2016 14:08:41 +0000 Subject: MFC r299460: r299460 (by cem): fsck_ffs: Don't overrun mount device buffer Maybe this case is impossible. Either way, when attempting to "/dev/"-prefix a non-global device name, check that we do not overrun the f_mntfromname buffer. In this case, truncating (with strlcpy or similar) would not be useful, since the f_mntfromname result of getmntpt() is passed directly to open(2) later. CID: 1006789 --- sbin/fsck_ffs/main.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sbin/fsck_ffs/main.c') diff --git a/sbin/fsck_ffs/main.c b/sbin/fsck_ffs/main.c index 08c7745..c5b3b7a 100644 --- a/sbin/fsck_ffs/main.c +++ b/sbin/fsck_ffs/main.c @@ -644,6 +644,9 @@ getmntpt(const char *name) statfsp = &mntbuf[i]; ddevname = statfsp->f_mntfromname; if (*ddevname != '/') { + if (strlen(_PATH_DEV) + strlen(ddevname) + 1 > + sizeof(statfsp->f_mntfromname)) + continue; strcpy(device, _PATH_DEV); strcat(device, ddevname); strcpy(statfsp->f_mntfromname, device); -- cgit v1.1