gettmpname() and getparent() blindly copy strings
into a target array; be sure we limit the copy to
the size of the target and null terminate it.
I don't see a way to get here with a too-long name,
since most paths try to open or stat the file already,
but it can't hurt to be defensive.
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
---
fsr/xfs_fsr.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/fsr/xfs_fsr.c b/fsr/xfs_fsr.c
index 2db2224..843f57d 100644
--- a/fsr/xfs_fsr.c
+++ b/fsr/xfs_fsr.c
@@ -1452,7 +1452,8 @@ gettmpname(char *fname)
sprintf(sbuf, "/.fsr%d", getpid());
- strcpy(buf, fname);
+ strncpy(buf, fname, PATH_MAX);
+ buf[PATH_MAX] = '\0';
ptr = strrchr(buf, '/');
if (ptr) {
*ptr = '\0';
@@ -1476,7 +1477,8 @@ getparent(char *fname)
static char buf[PATH_MAX+1];
char *ptr;
- strcpy(buf, fname);
+ strncpy(buf, fname, PATH_MAX);
+ buf[PATH_MAX] = '\0';
ptr = strrchr(buf, '/');
if (ptr) {
if (ptr == &buf[0])
--
1.7.1
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
