From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 23 Feb 2018 20:42:27 +0000 (-0500)
Subject: fsck: avoid buffer overflow if user passes in an insanely long fs type
X-Git-Tag: debian/1.44.4-1~12^2~7
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=d8e5da0a3b94f7445ab8cdd629bfc561986e7501;p=tools%2Fe2fsprogs.git

fsck: avoid buffer overflow if user passes in an insanely long fs type

Reported-by: <Hornseth_Brenan@bah.com>

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/misc/fsck.c b/misc/fsck.c
index de5ae25..a2e0dfb 100644
--- a/misc/fsck.c
+++ b/misc/fsck.c
@@ -408,7 +408,8 @@ static char *find_fsck(char *type)
   tpl = (strncmp(type, "fsck.", 5) ? "%s/fsck.%s" : "%s/%s");
 
   for(s = strtok(p, ":"); s; s = strtok(NULL, ":")) {
-	sprintf(prog, tpl, s, type);
+	if (snprintf(prog, sizeof(prog), tpl, s, type) >= sizeof(prog))
+		continue;
 	if (stat(prog, &st) == 0) break;
   }
   free(p);
@@ -435,7 +436,7 @@ static int progress_active(NOARGS)
 static int execute(const char *type, const char *device, const char *mntpt,
 		   int interactive)
 {
-	char *s, *argv[80], prog[80];
+	char *s, *argv[80], prog[256];
 	int  argc, i;
 	struct fsck_instance *inst, *p;
 	pid_t	pid;
@@ -445,7 +446,8 @@ static int execute(const char *type, const char *device, const char *mntpt,
 		return ENOMEM;
 	memset(inst, 0, sizeof(struct fsck_instance));
 
-	sprintf(prog, "fsck.%s", type);
+	if (snprintf(prog, sizeof(prog), "fsck.%s", type) >= sizeof(prog))
+		return EINVAL;
 	argv[0] = string_copy(prog);
 	argc = 1;