From e23ed1b3307fed4edf349c44434985092b3244d6 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sat, 3 Dec 2022 21:43:33 -0500 Subject: [PATCH] Fix potential buffer overflow in zpool command The ZPOOL_SCRIPTS_PATH environment variable can be passed here. This allows for arbitrarily long strings to be passed to sprintf(), which can overflow the buffer. I missed this in my earlier audit of the codebase. CodeQL's cpp/unbounded-write check caught this. Reviewed-by: Damian Szuberski Reviewed-by: Alexander Motin Reviewed-by: Brian Behlendorf Signed-off-by: Richard Yao Closes #14264 --- cmd/zpool/zpool_main.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cmd/zpool/zpool_main.c b/cmd/zpool/zpool_main.c index 54464731b5..370d6b371a 100644 --- a/cmd/zpool/zpool_main.c +++ b/cmd/zpool/zpool_main.c @@ -5414,7 +5414,13 @@ print_zpool_dir_scripts(char *dirpath) if ((dir = opendir(dirpath)) != NULL) { /* print all the files and directories within directory */ while ((ent = readdir(dir)) != NULL) { - sprintf(fullpath, "%s/%s", dirpath, ent->d_name); + if (snprintf(fullpath, sizeof (fullpath), "%s/%s", + dirpath, ent->d_name) >= sizeof (fullpath)) { + (void) fprintf(stderr, + gettext("internal error: " + "ZPOOL_SCRIPTS_PATH too large.\n")); + exit(1); + } /* Print the scripts */ if (stat(fullpath, &dir_stat) == 0)