Fix potential buffer overflow in zpool command

The ZPOOL_SCRIPTS_PATH environment variable can be passed here. This
allows for arbitrarily long strings to be passed to sprintf(), which can
overflow the buffer.

I missed this in my earlier audit of the codebase. CodeQL's
cpp/unbounded-write check caught this.

Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14264
This commit is contained in:
Richard Yao 2022-12-03 21:43:33 -05:00 committed by Brian Behlendorf
parent ecccaede68
commit ba87ed1410
1 changed files with 7 additions and 1 deletions

View File

@ -5429,7 +5429,13 @@ print_zpool_dir_scripts(char *dirpath)
if ((dir = opendir(dirpath)) != NULL) { if ((dir = opendir(dirpath)) != NULL) {
/* print all the files and directories within directory */ /* print all the files and directories within directory */
while ((ent = readdir(dir)) != NULL) { while ((ent = readdir(dir)) != NULL) {
sprintf(fullpath, "%s/%s", dirpath, ent->d_name); if (snprintf(fullpath, sizeof (fullpath), "%s/%s",
dirpath, ent->d_name) >= sizeof (fullpath)) {
(void) fprintf(stderr,
gettext("internal error: "
"ZPOOL_SCRIPTS_PATH too large.\n"));
exit(1);
}
/* Print the scripts */ /* Print the scripts */
if (stat(fullpath, &dir_stat) == 0) if (stat(fullpath, &dir_stat) == 0)