[PATCH 7/7] libfrog: fix a buffer overrun in path_list_to_string

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Darrick J. Wong <djwong@xxxxxxxxxx>

Fix a buffer overrun when converting a path list to a string.

Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
 libfrog/paths.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)


diff --git a/libfrog/paths.c b/libfrog/paths.c
index cc43b02c4..42e000295 100644
--- a/libfrog/paths.c
+++ b/libfrog/paths.c
@@ -694,13 +694,18 @@ path_list_to_string(
 	size_t			buflen)
 {
 	struct path_component	*pos;
+	char			*buf_end = buf + buflen;
 	ssize_t			bytes = 0;
 	int			ret;
 
 	list_for_each_entry(pos, &path->p_head, pc_list) {
+		if (buf >= buf_end)
+			return -1;
+
 		ret = snprintf(buf, buflen, "/%s", pos->pc_fname);
-		if (ret != 1 + strlen(pos->pc_fname))
+		if (ret < 0 || ret >= buflen)
 			return -1;
+
 		bytes += ret;
 		buf += ret;
 		buflen -= ret;




[Index of Archives]     [XFS Filesystem Development (older mail)]     [Linux Filesystem Development]     [Linux Audio Users]     [Yosemite Trails]     [Linux Kernel]     [Linux RAID]     [Linux SCSI]


  Powered by Linux