From f1f9c50dd9e918afbc222dbdc7ee11fc3b3fa279 Mon Sep 17 00:00:00 2001 From: Brian Behlendorf Date: Thu, 12 Mar 2009 15:20:26 -0700 Subject: [PATCH 1/2] Add fix-strncat branch which corrects a buffer overrun. --- .topdeps | 1 + .topmsg | 8 ++++++++ lib/libzfs/libzfs_sendrecv.c | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 .topdeps create mode 100644 .topmsg diff --git a/.topdeps b/.topdeps new file mode 100644 index 0000000000..1f7391f92b --- /dev/null +++ b/.topdeps @@ -0,0 +1 @@ +master diff --git a/.topmsg b/.topmsg new file mode 100644 index 0000000000..1a1a56687a --- /dev/null +++ b/.topmsg @@ -0,0 +1,8 @@ +From: Brian Behlendorf +Subject: [PATCH] fix strncat + +This look like a typo. The intention was to use strlcat() however +strncat() was used instead accidentally this may lead to a buffer +overflow. This was caught by gcc -D_FORTIFY_SOURCE=2. + +Signed-off-by: Brian Behlendorf diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c index 5a2e2aeb6d..ab6977e9ec 100644 --- a/lib/libzfs/libzfs_sendrecv.c +++ b/lib/libzfs/libzfs_sendrecv.c @@ -1642,7 +1642,7 @@ zfs_receive_one(libzfs_handle_t *hdl, int infd, const char *tosnap, * Determine name of destination snapshot, store in zc_value. */ (void) strcpy(zc.zc_value, tosnap); - (void) strncat(zc.zc_value, drrb->drr_toname+choplen, + (void) strlcat(zc.zc_value, drrb->drr_toname+choplen, sizeof (zc.zc_value)); if (!zfs_name_valid(zc.zc_value, ZFS_TYPE_SNAPSHOT)) { zcmd_free_nvlists(&zc); From 56aaaa26170b75eb8e1849a962bccf643d0b81d4 Mon Sep 17 00:00:00 2001 From: Brian Behlendorf Date: Thu, 12 Mar 2009 15:21:27 -0700 Subject: [PATCH 2/2] New TopGit dependency: fix-strncat --- .topdeps | 1 + 1 file changed, 1 insertion(+) diff --git a/.topdeps b/.topdeps index b53c9e7afa..04ac73ff29 100644 --- a/.topdeps +++ b/.topdeps @@ -11,3 +11,4 @@ fix-rwlocks fix-stack fix-taskq fix-list +fix-strncat