The function 'strncpy' may incorrectly check buffer boundaries
and may overflow buffer 'info->name' of fixed size (256). Also
there is one similar error on line 1135.
Signed-off-by: Dmitry Eremin <dmitry.eremin@intel.com>
Change-Id: I512ab6678fbf1d02bac2eb290fd13c22fca9dc2b
Reviewed-on: http://review.whamcloud.com/12516
Tested-by: Jenkins
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Bob Glossman <bob.glossman@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
{
struct changelog_rec *rec;
struct changelog_ext_rename *rnm;
{
struct changelog_rec *rec;
struct changelog_ext_rename *rnm;
+ size_t namelen;
+ size_t copylen;
- if (llapi_changelog_recv(priv, &rec) != 0)
- return -1;
+ if (llapi_changelog_recv(priv, &rec) != 0)
+ return -1;
info->is_extended = !!(rec->cr_flags & CLF_RENAME);
info->is_extended = !!(rec->cr_flags & CLF_RENAME);
- info->recno = rec->cr_index;
- info->type = rec->cr_type;
- sprintf(info->tfid, DFID, PFID(&rec->cr_tfid));
- sprintf(info->pfid, DFID, PFID(&rec->cr_pfid));
- strncpy(info->name, changelog_rec_name(rec), rec->cr_namelen);
- info->name[rec->cr_namelen] = '\0';
+ info->recno = rec->cr_index;
+ info->type = rec->cr_type;
+ snprintf(info->tfid, sizeof(info->tfid), DFID, PFID(&rec->cr_tfid));
+ snprintf(info->pfid, sizeof(info->pfid), DFID, PFID(&rec->cr_pfid));
+
+ namelen = strnlen(changelog_rec_name(rec), rec->cr_namelen);
+ copylen = min(sizeof(info->name), namelen + 1);
+ strlcpy(info->name, changelog_rec_name(rec), copylen);
/* Don't use rnm if CLF_RENAME isn't set */
rnm = changelog_rec_rename(rec);
/* Don't use rnm if CLF_RENAME isn't set */
rnm = changelog_rec_rename(rec);
PFID(&rnm->cr_sfid));
snprintf(info->spfid, sizeof(info->spfid), DFID,
PFID(&rnm->cr_spfid));
PFID(&rnm->cr_sfid));
snprintf(info->spfid, sizeof(info->spfid), DFID,
PFID(&rnm->cr_spfid));
- strncpy(info->sname, changelog_rec_sname(rec),
- changelog_rec_snamelen(rec));
- info->sname[changelog_rec_snamelen(rec)] = '\0';
+ namelen = changelog_rec_snamelen(rec);
+ copylen = min(sizeof(info->sname), namelen + 1);
+ strlcpy(info->sname, changelog_rec_sname(rec), copylen);
if (verbose > 1)
printf("Rec %lld: %d %s %s\n", info->recno, info->type,
if (verbose > 1)
printf("Rec %lld: %d %s %s\n", info->recno, info->type,