fsck_ffs: Don't overrun mount device buffer

Maybe this case is impossible. Either way, when attempting to "/dev/"-prefix a non-global device name, check that we do not overrun the f_mntfromname buffer. In this case, truncating (with strlcpy or similar) would not be useful, since the f_mntfromname result of getmntpt() is passed directly to open(2) later. Reported by: Coverity CID: 1006789 Sponsored by: EMC / Isilon Storage Division
2016-05-11 16:20:23 +00:00 · 2016-05-11 16:20:23 +00:00 · 333d028407
commit 333d028407
parent 3b56262303
1 changed files with 3 additions and 0 deletions
--- a/sbin/fsck_ffs/main.c
+++ b/sbin/fsck_ffs/main.c
@ -644,6 +644,9 @@ getmntpt(const char *name)
 		statfsp = &mntbuf[i];
 		ddevname = statfsp->f_mntfromname;
 		if (*ddevname != '/') {
+			if (strlen(_PATH_DEV) + strlen(ddevname) + 1 >
+			    sizeof(statfsp->f_mntfromname))
+				continue;
 			strcpy(device, _PATH_DEV);
 			strcat(device, ddevname);
 			strcpy(statfsp->f_mntfromname, device);