From d8e5da0a3b94f7445ab8cdd629bfc561986e7501 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Fri, 23 Feb 2018 15:42:27 -0500 Subject: [PATCH] fsck: avoid buffer overflow if user passes in an insanely long fs type Reported-by: Signed-off-by: Theodore Ts'o --- misc/fsck.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/misc/fsck.c b/misc/fsck.c index de5ae25..a2e0dfb 100644 --- a/misc/fsck.c +++ b/misc/fsck.c @@ -408,7 +408,8 @@ static char *find_fsck(char *type) tpl = (strncmp(type, "fsck.", 5) ? "%s/fsck.%s" : "%s/%s"); for(s = strtok(p, ":"); s; s = strtok(NULL, ":")) { - sprintf(prog, tpl, s, type); + if (snprintf(prog, sizeof(prog), tpl, s, type) >= sizeof(prog)) + continue; if (stat(prog, &st) == 0) break; } free(p); @@ -435,7 +436,7 @@ static int progress_active(NOARGS) static int execute(const char *type, const char *device, const char *mntpt, int interactive) { - char *s, *argv[80], prog[80]; + char *s, *argv[80], prog[256]; int argc, i; struct fsck_instance *inst, *p; pid_t pid; @@ -445,7 +446,8 @@ static int execute(const char *type, const char *device, const char *mntpt, return ENOMEM; memset(inst, 0, sizeof(struct fsck_instance)); - sprintf(prog, "fsck.%s", type); + if (snprintf(prog, sizeof(prog), "fsck.%s", type) >= sizeof(prog)) + return EINVAL; argv[0] = string_copy(prog); argc = 1; -- 1.8.3.1