From 9c23b8961205f30d29c4137f4833f78cc48ce3fb Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Sun, 20 Nov 2011 15:47:02 -0500 Subject: [PATCH] debugfs: fix sprintf stack overflow The htree dump code overflows a char buffer if the directory has a long filename because the buffer is not large enough to hold the characters that are not part of the filename. Make the buffer larger and use snprintf instead. Signed-off-by: Darrick J. Wong Reviewed-by: Eric Sandeen Signed-off-by: Theodore Ts'o --- debugfs/htree.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debugfs/htree.c b/debugfs/htree.c index 06e7737..05745eb 100644 --- a/debugfs/htree.c +++ b/debugfs/htree.c @@ -39,7 +39,7 @@ static void htree_dump_leaf_node(ext2_filsys fs, ext2_ino_t ino, int thislen, col = 0; unsigned int offset = 0; char name[EXT2_NAME_LEN + 1]; - char tmp[EXT2_NAME_LEN + 16]; + char tmp[EXT2_NAME_LEN + 64]; blk64_t pblk; ext2_dirhash_t hash, minor_hash; unsigned int rec_len; @@ -91,8 +91,8 @@ static void htree_dump_leaf_node(ext2_filsys fs, ext2_ino_t ino, if (errcode) com_err("htree_dump_leaf_node", errcode, "while calculating hash"); - sprintf(tmp, "%u 0x%08x-%08x (%d) %s ", dirent->inode, - hash, minor_hash, rec_len, name); + snprintf(tmp, EXT2_NAME_LEN + 64, "%u 0x%08x-%08x (%d) %s ", + dirent->inode, hash, minor_hash, rec_len, name); thislen = strlen(tmp); if (col + thislen > 80) { fprintf(pager, "\n"); -- 1.8.3.1