From: Brian Foster <bfoster@redhat.com>
To: Eric Sandeen <sandeen@redhat.com>
Cc: xfs-oss <xfs@oss.sgi.com>
Subject: Re: [PATCH] xfsprogs: properly terminate string in quota's restore_file()
Date: Wed, 26 Aug 2015 07:53:10 -0400 [thread overview]
Message-ID: <20150826115308.GB11759@bfoster.bfoster> (raw)
In-Reply-To: <55DC9A41.8060006@redhat.com>
On Tue, Aug 25, 2015 at 11:39:29AM -0500, Eric Sandeen wrote:
> This code copies up to the entire size of devbuffer, and then
> tries to use "strlen" to null terminate it.
>
> But strlen works by *finding* the null, so it's at best a
> no-op, and at worst not properly terminating the string.
>
> Fix this by placing the null at the last byte of the buffer.
>
> Addresses-Coverity-Id: 1297519
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> ---
>
> diff --git a/quota/edit.c b/quota/edit.c
> index d226e89..a53a7e6 100644
> --- a/quota/edit.c
> +++ b/quota/edit.c
> @@ -385,7 +385,7 @@ restore_file(
> while (fgets(buffer, sizeof(buffer), fp) != NULL) {
> if (strncmp("fs = ", buffer, 5) == 0) {
> dev = strncpy(devbuffer, buffer+5, sizeof(devbuffer));
> - dev[strlen(dev) - 1] = '\0';
> + dev[sizeof(devbuffer) - 1] = '\0';
According to the man page, fgets() NULL terminates the provided buffer.
Next, we attempt to strncpy() just the device name part of the string
(copying up to 512 bytes from a 512-5 byte buffer). I'm not quite sure,
but it looks like the above line could be trying to replace a newline
with a NULL terminator..? E.g., it expects the last character in an
already NULL terminated line to be a newline.
Brian
> continue;
> }
> rtbsoft = rtbhard = 0;
>
> _______________________________________________
> xfs mailing list
> xfs@oss.sgi.com
> http://oss.sgi.com/mailman/listinfo/xfs
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2015-08-26 11:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-25 16:39 [PATCH] xfsprogs: properly terminate string in quota's restore_file() Eric Sandeen
2015-08-26 11:53 ` Brian Foster [this message]
2015-08-26 21:56 ` Eric Sandeen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150826115308.GB11759@bfoster.bfoster \
--to=bfoster@redhat.com \
--cc=sandeen@redhat.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.