From: Elie De Brauwer <eliedebrauwer@gmail.com>
To: linux-mtd@lists.infradead.org
Cc: eliedebrauwer@gmail.com
Subject: [PATCH 3/4] integck.c: Fix buffer overflow in save_file, avoid possible failure to write buffers when the filename length is equal to max_name_len
Date: Fri, 1 Mar 2013 19:37:39 +0100 [thread overview]
Message-ID: <1362163060-5629-4-git-send-email-eliedebrauwer@gmail.com> (raw)
In-Reply-To: <1362163060-5629-1-git-send-email-eliedebrauwer@gmail.com>
Signed-off-by: Elie De Brauwer <eliedebrauwer@gmail.com>
---
tests/fs-tests/integrity/integck.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/tests/fs-tests/integrity/integck.c b/tests/fs-tests/integrity/integck.c
index 5ea3642..ee37a0d 100644
--- a/tests/fs-tests/integrity/integck.c
+++ b/tests/fs-tests/integrity/integck.c
@@ -32,11 +32,11 @@
#include <assert.h>
#include <mntent.h>
#include <execinfo.h>
+#include <bits/stdio_lim.h>
#include <sys/mman.h>
#include <sys/vfs.h>
#include <sys/mount.h>
#include <sys/statvfs.h>
-#include <linux/fs.h>
#define PROGRAM_VERSION "1.1"
#define PROGRAM_NAME "integck"
@@ -1433,12 +1433,17 @@ static void save_file(int fd, struct file_info *file)
int w_fd;
struct write_info *w;
char buf[IO_BUFFER_SIZE];
- char name[256];
+ char name[FILENAME_MAX];
+ const char * read_suffix = ".integ.sav.read";
+ const char * write_suffix = ".integ.sav.written";
+ size_t fname_len = strlen(get_file_name(file));
/* Open file to save contents to */
strcpy(name, "/tmp/");
- strcat(name, get_file_name(file));
- strcat(name, ".integ.sav.read");
+ if (fname_len + strlen(read_suffix) > fsinfo.max_name_len)
+ fname_len = fsinfo.max_name_len - strlen(read_suffix);
+ strncat(name, get_file_name(file), fname_len);
+ strcat(name, read_suffix);
normsg("Saving %sn", name);
w_fd = open(name, O_CREAT | O_WRONLY, 0777);
CHECK(w_fd != -1);
@@ -1457,8 +1462,10 @@ static void save_file(int fd, struct file_info *file)
/* Open file to save contents to */
strcpy(name, "/tmp/");
- strcat(name, get_file_name(file));
- strcat(name, ".integ.sav.written");
+ if (fname_len + strlen(write_suffix) > fsinfo.max_name_len)
+ fname_len = fsinfo.max_name_len - strlen(write_suffix);
+ strncat(name, get_file_name(file), fname_len);
+ strcat(name, write_suffix);
normsg("Saving %s", name);
w_fd = open(name, O_CREAT | O_WRONLY, 0777);
CHECK(w_fd != -1);
--
1.7.10.4
next prev parent reply other threads:[~2013-03-01 18:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-01 18:37 [PATCH 0/4] mtd-utils: integck improvements Elie De Brauwer
2013-03-01 18:37 ` [PATCH 1/4] integck.c: Only verify the operation after all datastructures have been updated Elie De Brauwer
2013-03-01 18:37 ` [PATCH 2/4] integck.c: rework file_check_data to immediately dump the buffer containing the errors Elie De Brauwer
2013-03-01 18:37 ` Elie De Brauwer [this message]
2013-03-01 18:37 ` [PATCH 4/4] Typo fixes: avaiable -> available and priortiry -> priority Elie De Brauwer
2013-03-11 8:49 ` [PATCH 0/4] mtd-utils: integck improvements Artem Bityutskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1362163060-5629-4-git-send-email-eliedebrauwer@gmail.com \
--to=eliedebrauwer@gmail.com \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox