Fix potential buffer overflow in zpool command
The ZPOOL_SCRIPTS_PATH environment variable can be passed here. This allows for arbitrarily long strings to be passed to sprintf(), which can overflow the buffer. I missed this in my earlier audit of the codebase. CodeQL's cpp/unbounded-write check caught this. Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com> Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #14264
This commit is contained in:
parent
ecccaede68
commit
ba87ed1410
|
@ -5429,7 +5429,13 @@ print_zpool_dir_scripts(char *dirpath)
|
||||||
if ((dir = opendir(dirpath)) != NULL) {
|
if ((dir = opendir(dirpath)) != NULL) {
|
||||||
/* print all the files and directories within directory */
|
/* print all the files and directories within directory */
|
||||||
while ((ent = readdir(dir)) != NULL) {
|
while ((ent = readdir(dir)) != NULL) {
|
||||||
sprintf(fullpath, "%s/%s", dirpath, ent->d_name);
|
if (snprintf(fullpath, sizeof (fullpath), "%s/%s",
|
||||||
|
dirpath, ent->d_name) >= sizeof (fullpath)) {
|
||||||
|
(void) fprintf(stderr,
|
||||||
|
gettext("internal error: "
|
||||||
|
"ZPOOL_SCRIPTS_PATH too large.\n"));
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
/* Print the scripts */
|
/* Print the scripts */
|
||||||
if (stat(fullpath, &dir_stat) == 0)
|
if (stat(fullpath, &dir_stat) == 0)
|
||||||
|
|
Loading…
Reference in New Issue