From: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
Date: Tue, 5 May 2015 12:38:04 +0000 (+0200)
Subject: osd/ClassHandler.cc: fix STRING_OVERFLOW
X-Git-Tag: v9.0.2~68^2~4
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f5ae56b57c528b8d120019274bbe616ce3fb2fa3;p=ceph.git

osd/ClassHandler.cc: fix STRING_OVERFLOW

CID 1058792 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
 fixed_size_dest: You might overrun the 4097 byte fixed-size string
 cname by copying &pde->d_name[8UL] - 1 without checking the length.

Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
---

diff --git a/src/osd/ClassHandler.cc b/src/osd/ClassHandler.cc
index 6c1f20dbaa3a2..c52177b7e1690 100644
--- a/src/osd/ClassHandler.cc
+++ b/src/osd/ClassHandler.cc
@@ -56,7 +56,7 @@ int ClassHandler::open_all_classes()
 	strncmp(pde->d_name, CLS_PREFIX, sizeof(CLS_PREFIX) - 1) == 0 &&
 	strcmp(pde->d_name + strlen(pde->d_name) - (sizeof(CLS_SUFFIX) - 1), CLS_SUFFIX) == 0) {
       char cname[PATH_MAX + 1];
-      strcpy(cname, pde->d_name + sizeof(CLS_PREFIX) - 1);
+      strncpy(cname, pde->d_name + sizeof(CLS_PREFIX) - 1, sizeof(cname) -1);
       cname[strlen(cname) - (sizeof(CLS_SUFFIX) - 1)] = '\0';
       dout(10) << __func__ << " found " << cname << dendl;
       ClassData *cls;