fsck: avoid buffer overflow if user passes in an insanely long fs type

author Theodore Ts'o <tytso@mit.edu>

Fri, 23 Feb 2018 20:42:27 +0000 (15:42 -0500)

committer Theodore Ts'o <tytso@mit.edu>

Fri, 23 Feb 2018 20:42:27 +0000 (15:42 -0500)
author Theodore Ts'o <tytso@mit.edu>
Fri, 23 Feb 2018 20:42:27 +0000 (15:42 -0500)
committer Theodore Ts'o <tytso@mit.edu>
Fri, 23 Feb 2018 20:42:27 +0000 (15:42 -0500)
diff --git a/misc/fsck.c b/misc/fsck.c

index de5ae25..a2e0dfb 100644 (file)
--- a/misc/fsck.c
+++ b/misc/fsck.c
@@ -408,7 +408,8 @@ static char *find_fsck(char *type)
    tpl = (strncmp(type, "fsck.", 5) ? "%s/fsck.%s" : "%s/%s");
  
    for(s = strtok(p, ":"); s; s = strtok(NULL, ":")) {
-       sprintf(prog, tpl, s, type);
+       if (snprintf(prog, sizeof(prog), tpl, s, type) >= sizeof(prog))
+               continue;
         if (stat(prog, &st) == 0) break;
    }
    free(p);
@@ -435,7 +436,7 @@ static int progress_active(NOARGS)
  static int execute(const char *type, const char *device, const char *mntpt,
                    int interactive)
  {
-       char *s, *argv[80], prog[80];
+       char *s, *argv[80], prog[256];
         int  argc, i;
         struct fsck_instance *inst, *p;
         pid_t   pid;
@@ -445,7 +446,8 @@ static int execute(const char *type, const char *device, const char *mntpt,
                 return ENOMEM;
         memset(inst, 0, sizeof(struct fsck_instance));
  
-       sprintf(prog, "fsck.%s", type);
+       if (snprintf(prog, sizeof(prog), "fsck.%s", type) >= sizeof(prog))
+               return EINVAL;
         argv[0] = string_copy(prog);
         argc = 1;
author	Theodore Ts'o <tytso@mit.edu>
	Fri, 23 Feb 2018 20:42:27 +0000 (15:42 -0500)
committer	Theodore Ts'o <tytso@mit.edu>
	Fri, 23 Feb 2018 20:42:27 +0000 (15:42 -0500)