Re: [PATCH 3/4] avoid strncpy-induced buffer overrun

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jim Meyering <jim@meyering.net>
To: Josef Bacik <josef@redhat.com>
Cc: linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 3/4] avoid strncpy-induced buffer overrun
Date: Fri, 20 Apr 2012 21:26:58 +0200	[thread overview]
Message-ID: <87vckui4ql.fsf@rho.meyering.net> (raw)
In-Reply-To: <20120420184235.GE1957@localhost.localdomain> (Josef Bacik's message of "Fri, 20 Apr 2012 14:42:35 -0400")

Josef Bacik wrote:
> On Fri, Apr 20, 2012 at 07:36:47PM +0200, Jim Meyering wrote:
>> From: Jim Meyering <meyering@redhat.com>
>>
>> * restore.c (main): Ensure strncpy-copied dir_name is NUL-terminated.
>> * btrfsctl.c (main): Likewise, for a command-line argument.
>> * utils.c (multiple functions): Likewise.
>> * btrfs-list.c (add_root): Likewise.
>> * btrfslabel.c (change_label_unmounted): Likewise.
>> * cmds-device.c (cmd_add_dev, cmd_rm_dev, cmd_scan_dev): Likewise.
>> * cmds-filesystem.c (cmd_resize): Likewise.
>> * cmds-subvolume.c (cmd_subvol_create, cmd_subvol_delete, cmd_snapshot):
>> Likewise.
...
>> diff --git a/cmds-subvolume.c b/cmds-subvolume.c
>> index 950fa8f..fc749f1 100644
>> --- a/cmds-subvolume.c
>> +++ b/cmds-subvolume.c
>> @@ -111,6 +111,7 @@ static int cmd_subvol_create(int argc, char **argv)
>>
>>  	printf("Create subvolume '%s/%s'\n", dstdir, newname);
>>  	strncpy(args.name, newname, BTRFS_PATH_NAME_MAX);
>> +	args.name[BTRFS_PATH_NAME_MAX-1] = 0;
>>  	res = ioctl(fddst, BTRFS_IOC_SUBVOL_CREATE, &args);
>>  	e = errno;
>>
>> @@ -202,6 +203,7 @@ static int cmd_subvol_delete(int argc, char **argv)
>>
>>  	printf("Delete subvolume '%s/%s'\n", dname, vname);
>>  	strncpy(args.name, vname, BTRFS_PATH_NAME_MAX);
>> +	args.name[BTRFS_PATH_NAME_MAX-1] = 0;
>>  	res = ioctl(fd, BTRFS_IOC_SNAP_DESTROY, &args);
>>  	e = errno;
>>
>> @@ -378,6 +380,7 @@ static int cmd_snapshot(int argc, char **argv)
>>
>>  	args.fd = fd;
>>  	strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX);
>> +	args.name[BTRFS_PATH_NAME_MAX-1] = 0;

Hi Josef,
Thanks for the reviews.

I've moved the parenthesis-fix you noticed, and have just noticed
that I used the wrong symbol name above.

The following change is folded into the PATCHv2 I'm about to post:

diff --git a/cmds-subvolume.c b/cmds-subvolume.c
index fc749f1..a01c830 100644
--- a/cmds-subvolume.c
+++ b/cmds-subvolume.c
@@ -380,7 +380,7 @@ static int cmd_snapshot(int argc, char **argv)

 	args.fd = fd;
 	strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX);
-	args.name[BTRFS_PATH_NAME_MAX-1] = 0;
+	args.name[BTRFS_SUBVOL_NAME_MAX-1] = 0;
 	res = ioctl(fddst, BTRFS_IOC_SNAP_CREATE_V2, &args);
 	e = errno;

next prev parent reply	other threads:[~2012-04-20 19:26 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-20 17:36 btrfs-utils: minor buffer-overrun fixes Jim Meyering
2012-04-20 17:36 ` [PATCH 1/4] mkfs: use strdup in place of strlen,malloc,strcpy sequence Jim Meyering
2012-04-20 18:36   ` Josef Bacik
2012-04-20 17:36 ` [PATCH 2/4] restore: don't corrupt stack for a zero-length command-line argument Jim Meyering
2012-04-20 18:37   ` Josef Bacik
2012-04-20 18:40   ` Josef Bacik
2012-04-20 17:36 ` [PATCH 3/4] avoid strncpy-induced buffer overrun Jim Meyering
2012-04-20 18:42   ` Josef Bacik
2012-04-20 19:26     ` Jim Meyering [this message]
2012-04-20 17:36 ` [PATCH 4/4] mkfs: avoid heap-buffer-read-underrun for zero-length "size" arg Jim Meyering
2012-04-20 18:41   ` Josef Bacik

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fc749f1 dfblob:a01c830 )
 OR (
bs:"Re: [PATCH 3/4] avoid strncpy-induced buffer overrun" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87vckui4ql.fsf@rho.meyering.net \
    --to=jim@meyering.net \
    --cc=josef@redhat.com \
    --cc=linux-btrfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.