it seems like the sprintfs in i.e. fsrall_cleanup() and tmp_init()
might have the same problem, no?
And then what happens if it is truncated to SMBUFSZ; at that point
I think this needs error handling, if the string got truncated.
-Eric
On 12/2/15 5:19 AM, Vivek Trivedi wrote:
> Fix possible buffer overflow by replacing sprintf with snprintf in tmp_next
> and tmp_close.
> Reported by coverity.
>
> Signed-off-by: Vivek Trivedi <t.vivek@xxxxxxxxxxx>
> ---
> fsr/xfs_fsr.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fsr/xfs_fsr.c b/fsr/xfs_fsr.c
> index 424fbce..bd459b6 100644
> --- a/fsr/xfs_fsr.c
> +++ b/fsr/xfs_fsr.c
> @@ -1804,7 +1804,7 @@ tmp_next(char *mnt)
> {
> static char buf[SMBUFSZ];
>
> - sprintf(buf, "%s/.fsr/ag%d/tmp%d",
> + snprintf(buf, SMBUFSZ, "%s/.fsr/ag%d/tmp%d",
> ( (strcmp(mnt, "/") == 0) ? "" : mnt),
> tmp_agi,
> getpid());
> @@ -1823,7 +1823,7 @@ tmp_close(char *mnt)
>
> /* No data is ever actually written so we can just do rmdir's */
> for (i=0; i < fsgeom.agcount; i++) {
> - sprintf(buf, "%s/.fsr/ag%d", mnt, i);
> + snprintf(buf, SMBUFSZ, "%s/.fsr/ag%d", mnt, i);
> if (rmdir(buf) < 0) {
> if (errno != ENOENT) {
> fsrprintf(
>
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
