From: Danny Al-Gaaf Date: Wed, 1 Oct 2014 21:08:15 +0000 (+0200) Subject: BtrfsFileStoreBackend.cc: fix string overflow X-Git-Tag: v0.88~125^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F2623%2Fhead;p=ceph.git BtrfsFileStoreBackend.cc: fix string overflow Use strncpy() instead of strcpy and make sure the result is '\0' terminated. Fix for: CID 1063700 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) fixed_size_dest: You might overrun the 4088 byte fixed-size string vol_args.name by copying the return value of c_str without checking the length. Signed-off-by: Danny Al-Gaaf --- diff --git a/src/os/BtrfsFileStoreBackend.cc b/src/os/BtrfsFileStoreBackend.cc index 356084b9daa5..8c2273344a49 100644 --- a/src/os/BtrfsFileStoreBackend.cc +++ b/src/os/BtrfsFileStoreBackend.cc @@ -375,7 +375,10 @@ int BtrfsFileStoreBackend::create_checkpoint(const string& name, uint64_t *trans memset(&async_args, 0, sizeof(async_args)); async_args.fd = get_current_fd(); async_args.flags = BTRFS_SUBVOL_CREATE_ASYNC; - strncpy(async_args.name, name.c_str(), sizeof(async_args.name)); + + size_t name_size = sizeof(async_args.name); + strncpy(async_args.name, name.c_str(), name_size); + async_args.name[name_size-1] = '\0'; int r = ::ioctl(get_basedir_fd(), BTRFS_IOC_SNAP_CREATE_V2, &async_args); if (r < 0) { @@ -389,7 +392,10 @@ int BtrfsFileStoreBackend::create_checkpoint(const string& name, uint64_t *trans struct btrfs_ioctl_vol_args vol_args; memset(&vol_args, 0, sizeof(vol_args)); vol_args.fd = get_current_fd(); - strcpy(vol_args.name, name.c_str()); + + size_t name_size = sizeof(vol_args.name); + strncpy(vol_args.name, name.c_str(), name_size); + vol_args.name[name_size-1] = '\0'; int r = ::ioctl(get_basedir_fd(), BTRFS_IOC_SNAP_CREATE, &vol_args); if (r < 0) {