mdadm/0139-Fix-unsafe-string-functions.patch
2023-11-04 03:22:37 +00:00

117 lines
3.9 KiB
Diff

From dd5ab40204b1d78ec3bdbcfd5a38a8ffb72bdb50 Mon Sep 17 00:00:00 2001
From: Kinga Tanska <kinga.tanska@intel.com>
Date: Thu, 11 May 2023 04:55:12 +0200
Subject: [PATCH 139/165] Fix unsafe string functions
Add string length limitations where necessary to
avoid buffer overflows.
Signed-off-by: Kinga Tanska <kinga.tanska@intel.com>
Signed-off-by: Jes Sorensen <jes@trained-monkey.org>
---
mdmon.c | 6 +++---
mdopen.c | 4 ++--
platform-intel.c | 2 +-
super-intel.c | 6 +++---
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/mdmon.c b/mdmon.c
index cef5bbc8..a2038fe6 100644
--- a/mdmon.c
+++ b/mdmon.c
@@ -240,7 +240,7 @@ static int make_control_sock(char *devname)
return -1;
addr.sun_family = PF_LOCAL;
- strcpy(addr.sun_path, path);
+ snprintf(addr.sun_path, sizeof(addr.sun_path), "%s", path);
umask(077); /* ensure no world write access */
if (bind(sfd, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
close(sfd);
@@ -389,7 +389,7 @@ int main(int argc, char *argv[])
if (all) {
struct mdstat_ent *mdstat, *e;
- int container_len = strlen(container_name);
+ int container_len = strnlen(container_name, MD_NAME_MAX);
/* launch an mdmon instance for each container found */
mdstat = mdstat_read(0, 0);
@@ -472,7 +472,7 @@ static int mdmon(char *devnm, int must_fork, int takeover)
pfd[0] = pfd[1] = -1;
container = xcalloc(1, sizeof(*container));
- strcpy(container->devnm, devnm);
+ snprintf(container->devnm, MD_NAME_MAX, "%s", devnm);
container->arrays = NULL;
container->sock = -1;
diff --git a/mdopen.c b/mdopen.c
index d3022a54..3daa71f9 100644
--- a/mdopen.c
+++ b/mdopen.c
@@ -193,14 +193,14 @@ int create_mddev(char *dev, char *name, int autof, int trustworthy,
if (dev) {
if (strncmp(dev, DEV_MD_DIR, DEV_MD_DIR_LEN) == 0) {
- strcpy(cname, dev + DEV_MD_DIR_LEN);
+ snprintf(cname, MD_NAME_MAX, "%s", dev + DEV_MD_DIR_LEN);
} else if (strncmp(dev, "/dev/", 5) == 0) {
char *e = dev + strlen(dev);
while (e > dev && isdigit(e[-1]))
e--;
if (e[0])
num = strtoul(e, NULL, 10);
- strcpy(cname, dev+5);
+ snprintf(cname, MD_NAME_MAX, "%s", dev + 5);
cname[e-(dev+5)] = 0;
/* name *must* be mdXX or md_dXX in this context */
if (num < 0 ||
diff --git a/platform-intel.c b/platform-intel.c
index 914164c0..eb6e1b7e 100644
--- a/platform-intel.c
+++ b/platform-intel.c
@@ -214,7 +214,7 @@ struct sys_dev *device_by_id_and_path(__u16 device_id, const char *path)
static int devpath_to_ll(const char *dev_path, const char *entry, unsigned long long *val)
{
- char path[strlen(dev_path) + strlen(entry) + 2];
+ char path[strnlen(dev_path, PATH_MAX) + strnlen(entry, PATH_MAX) + 2];
int fd;
int n;
diff --git a/super-intel.c b/super-intel.c
index 824c1356..ce813172 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -7043,7 +7043,7 @@ active_arrays_by_format(char *name, char* hba, struct md_list **devlist,
int fd = -1;
while (dev && !is_fd_valid(fd)) {
char *path = xmalloc(strlen(dev->name) + strlen("/dev/") + 1);
- num = sprintf(path, "%s%s", "/dev/", dev->name);
+ num = snprintf(path, PATH_MAX, "%s%s", "/dev/", dev->name);
if (num > 0)
fd = open(path, O_RDONLY, 0);
if (num <= 0 || !is_fd_valid(fd)) {
@@ -7935,7 +7935,7 @@ static int kill_subarray_imsm(struct supertype *st, char *subarray_id)
if (i < current_vol)
continue;
- sprintf(subarray, "%u", i);
+ snprintf(subarray, sizeof(subarray), "%u", i);
if (is_subarray_active(subarray, st->devnm)) {
pr_err("deleting subarray-%d would change the UUID of active subarray-%d, aborting\n",
current_vol, i);
@@ -11308,7 +11308,7 @@ static const char *imsm_get_disk_controller_domain(const char *path)
char *drv=NULL;
struct stat st;
- strcpy(disk_path, disk_by_path);
+ strncpy(disk_path, disk_by_path, PATH_MAX);
strncat(disk_path, path, PATH_MAX - strlen(disk_path) - 1);
if (stat(disk_path, &st) == 0) {
struct sys_dev* hba;
--
2.40.1