From dd5ab40204b1d78ec3bdbcfd5a38a8ffb72bdb50 Mon Sep 17 00:00:00 2001 From: Kinga Tanska Date: Thu, 11 May 2023 04:55:12 +0200 Subject: [PATCH 139/165] Fix unsafe string functions Add string length limitations where necessary to avoid buffer overflows. Signed-off-by: Kinga Tanska Signed-off-by: Jes Sorensen --- mdmon.c | 6 +++--- mdopen.c | 4 ++-- platform-intel.c | 2 +- super-intel.c | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/mdmon.c b/mdmon.c index cef5bbc8..a2038fe6 100644 --- a/mdmon.c +++ b/mdmon.c @@ -240,7 +240,7 @@ static int make_control_sock(char *devname) return -1; addr.sun_family = PF_LOCAL; - strcpy(addr.sun_path, path); + snprintf(addr.sun_path, sizeof(addr.sun_path), "%s", path); umask(077); /* ensure no world write access */ if (bind(sfd, (struct sockaddr*)&addr, sizeof(addr)) < 0) { close(sfd); @@ -389,7 +389,7 @@ int main(int argc, char *argv[]) if (all) { struct mdstat_ent *mdstat, *e; - int container_len = strlen(container_name); + int container_len = strnlen(container_name, MD_NAME_MAX); /* launch an mdmon instance for each container found */ mdstat = mdstat_read(0, 0); @@ -472,7 +472,7 @@ static int mdmon(char *devnm, int must_fork, int takeover) pfd[0] = pfd[1] = -1; container = xcalloc(1, sizeof(*container)); - strcpy(container->devnm, devnm); + snprintf(container->devnm, MD_NAME_MAX, "%s", devnm); container->arrays = NULL; container->sock = -1; diff --git a/mdopen.c b/mdopen.c index d3022a54..3daa71f9 100644 --- a/mdopen.c +++ b/mdopen.c @@ -193,14 +193,14 @@ int create_mddev(char *dev, char *name, int autof, int trustworthy, if (dev) { if (strncmp(dev, DEV_MD_DIR, DEV_MD_DIR_LEN) == 0) { - strcpy(cname, dev + DEV_MD_DIR_LEN); + snprintf(cname, MD_NAME_MAX, "%s", dev + DEV_MD_DIR_LEN); } else if (strncmp(dev, "/dev/", 5) == 0) { char *e = dev + strlen(dev); while (e > dev && isdigit(e[-1])) e--; if (e[0]) num = strtoul(e, NULL, 10); - strcpy(cname, dev+5); + snprintf(cname, MD_NAME_MAX, "%s", dev + 5); cname[e-(dev+5)] = 0; /* name *must* be mdXX or md_dXX in this context */ if (num < 0 || diff --git a/platform-intel.c b/platform-intel.c index 914164c0..eb6e1b7e 100644 --- a/platform-intel.c +++ b/platform-intel.c @@ -214,7 +214,7 @@ struct sys_dev *device_by_id_and_path(__u16 device_id, const char *path) static int devpath_to_ll(const char *dev_path, const char *entry, unsigned long long *val) { - char path[strlen(dev_path) + strlen(entry) + 2]; + char path[strnlen(dev_path, PATH_MAX) + strnlen(entry, PATH_MAX) + 2]; int fd; int n; diff --git a/super-intel.c b/super-intel.c index 824c1356..ce813172 100644 --- a/super-intel.c +++ b/super-intel.c @@ -7043,7 +7043,7 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist, int fd = -1; while (dev && !is_fd_valid(fd)) { char *path = xmalloc(strlen(dev->name) + strlen("/dev/") + 1); - num = sprintf(path, "%s%s", "/dev/", dev->name); + num = snprintf(path, PATH_MAX, "%s%s", "/dev/", dev->name); if (num > 0) fd = open(path, O_RDONLY, 0); if (num <= 0 || !is_fd_valid(fd)) { @@ -7935,7 +7935,7 @@ static int kill_subarray_imsm(struct supertype *st, char *subarray_id) if (i < current_vol) continue; - sprintf(subarray, "%u", i); + snprintf(subarray, sizeof(subarray), "%u", i); if (is_subarray_active(subarray, st->devnm)) { pr_err("deleting subarray-%d would change the UUID of active subarray-%d, aborting\n", current_vol, i); @@ -11308,7 +11308,7 @@ static const char *imsm_get_disk_controller_domain(const char *path) char *drv=NULL; struct stat st; - strcpy(disk_path, disk_by_path); + strncpy(disk_path, disk_by_path, PATH_MAX); strncat(disk_path, path, PATH_MAX - strlen(disk_path) - 1); if (stat(disk_path, &st) == 0) { struct sys_dev* hba; -- 2.40.1