libbe(3): Prefer safer versions of strcat/strcpy

Or, in the activate case, just use snprintf since that's effectively what we're doing anyways.
svn path=/head/; revision=337921
2018-08-16 18:37:47 +00:00 · 2018-08-16 18:37:47 +00:00 · a8e44f4da0 · 2020-12-20 02:59:44 +00:00
commit a8e44f4da0
parent 43daed4774
3 changed files with 19 additions and 12 deletions
--- a/lib/libbe/be.c
+++ b/lib/libbe/be.c
@ -91,7 +91,6 @@ libbe_init(void)

 	lbh = NULL;
 	poolname = pos = NULL;
-	pnamelen = 0;
 	rootds = NULL;

 	/* Verify that /boot and / are mounted on the same filesystem */
@ -138,6 +137,8 @@ libbe_init(void)
 	strlcpy(poolname, lbh->root, pnamelen + 1);
 	if ((lbh->active_phandle = zpool_open(lbh->lzh, poolname)) == NULL)
 		goto err;
+	free(poolname);
+	poolname = NULL;

 	if (zpool_get_prop(lbh->active_phandle, ZPOOL_PROP_BOOTFS, lbh->bootfs,
 	    sizeof(lbh->bootfs), NULL, true) != 0)
@ -218,7 +219,6 @@ be_destroy(libbe_handle_t *lbh, const char *name, int options)

 	p = path;
 	force = options & BE_DESTROY_FORCE;
-	err = BE_ERR_SUCCESS;

 	be_root_concat(lbh, name, path);

@ -274,8 +274,12 @@ be_snapshot(libbe_handle_t *lbh, const char *source, const char *snap_name,
 		return (BE_ERR_NOENT);

 	if (snap_name != NULL) {
-		strcat(buf, "@");
-		strcat(buf, snap_name);
+		if (strlcat(buf, "@", sizeof(buf)) >= sizeof(buf))
+			return (set_error(lbh, BE_ERR_INVALIDNAME));
+
+		if (strlcat(buf, snap_name, sizeof(buf)) >= sizeof(buf))
+			return (set_error(lbh, BE_ERR_INVALIDNAME));
+
 		if (result != NULL)
 			snprintf(result, BE_MAXPATHLEN, "%s@%s", source,
 			    snap_name);
@ -284,8 +288,9 @@ be_snapshot(libbe_handle_t *lbh, const char *source, const char *snap_name,
 		len = strlen(buf);
 		strftime(buf + len, sizeof(buf) - len,
 		    "@%F-%T", localtime(&rawtime));
-		if (result != NULL)
-			strcpy(result, strrchr(buf, '/') + 1);
+		if (result != NULL && strlcpy(result, strrchr(buf, '/') + 1,
+		    sizeof(buf)) >= sizeof(buf))
+			return (set_error(lbh, BE_ERR_INVALIDNAME));
 	}

 	if ((err = zfs_snapshot(lbh->lzh, buf, recursive, NULL)) != 0) {
@ -942,9 +947,7 @@ be_activate(libbe_handle_t *lbh, const char *bootenv, bool temporary)
 			return (set_error(lbh, BE_ERR_UNKNOWN));

 		/* Expected format according to zfsbootcfg(8) man */
-		strcpy(buf, "zfs:");
-		strcat(buf, be_path);
-		strcat(buf, ":");
+		snprintf(buf, sizeof(buf), "zfs:%s:", be_path);

 		/* We have no config tree */
 		if (nvlist_lookup_nvlist(config, ZPOOL_CONFIG_VDEV_TREE,
--- a/lib/libbe/be_access.c
+++ b/lib/libbe/be_access.c
@ -124,7 +124,7 @@ be_mount(libbe_handle_t *lbh, char *bootenv, char *mountpoint, int flags,

 	/* Create mountpoint if it is not specified */
 	if (mountpoint == NULL) {
-		strcpy(mnt_temp, "/tmp/be_mount.XXXX");
+		strlcpy(mnt_temp, "/tmp/be_mount.XXXX", sizeof(mnt_temp));
 		if (mkdtemp(mnt_temp) == NULL)
 			return (set_error(lbh, BE_ERR_IO));
 	}
@ -149,7 +149,8 @@ be_mount(libbe_handle_t *lbh, char *bootenv, char *mountpoint, int flags,
 	}

 	if (result_loc != NULL)
-		strcpy(result_loc, mountpoint == NULL ? mnt_temp : mountpoint);
+		strlcpy(result_loc, mountpoint == NULL ? mnt_temp : mountpoint,
+		    BE_MAXPATHLEN);

 	return (BE_ERR_SUCCESS);
 }
--- a/lib/libbe/libbe.3
+++ b/lib/libbe/libbe.3
@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 12, 2018
+.Dd August 16, 2018
 .Dt LIBBE 3
 .Os
 .Sh NAME
@ -267,6 +267,9 @@ If
 .Fa result
 is not
 .Dv NULL ,
+it should be large enough to accommodate
+.Dv BE_MAXPATHLEN
+including the null terminator.
 the final mount point will be copied into it.
 Setting the
 .Dv BE_MNT_FORCE