From 3374a0b227ad0b26098cdf1e2d5ad7978723c77f Mon Sep 17 00:00:00 2001 From: Danny Al-Gaaf Date: Wed, 1 Oct 2014 23:08:15 +0200 Subject: [PATCH] BtrfsFileStoreBackend.cc: fix string overflow Use strncpy() instead of strcpy and make sure the result is '\0' terminated. Fix for: CID 1063700 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) fixed_size_dest: You might overrun the 4088 byte fixed-size string vol_args.name by copying the return value of c_str without checking the length. Signed-off-by: Danny Al-Gaaf --- src/os/BtrfsFileStoreBackend.cc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/os/BtrfsFileStoreBackend.cc b/src/os/BtrfsFileStoreBackend.cc index 356084b9daa5..8c2273344a49 100644 --- a/src/os/BtrfsFileStoreBackend.cc +++ b/src/os/BtrfsFileStoreBackend.cc @@ -375,7 +375,10 @@ int BtrfsFileStoreBackend::create_checkpoint(const string& name, uint64_t *trans memset(&async_args, 0, sizeof(async_args)); async_args.fd = get_current_fd(); async_args.flags = BTRFS_SUBVOL_CREATE_ASYNC; - strncpy(async_args.name, name.c_str(), sizeof(async_args.name)); + + size_t name_size = sizeof(async_args.name); + strncpy(async_args.name, name.c_str(), name_size); + async_args.name[name_size-1] = '\0'; int r = ::ioctl(get_basedir_fd(), BTRFS_IOC_SNAP_CREATE_V2, &async_args); if (r < 0) { @@ -389,7 +392,10 @@ int BtrfsFileStoreBackend::create_checkpoint(const string& name, uint64_t *trans struct btrfs_ioctl_vol_args vol_args; memset(&vol_args, 0, sizeof(vol_args)); vol_args.fd = get_current_fd(); - strcpy(vol_args.name, name.c_str()); + + size_t name_size = sizeof(vol_args.name); + strncpy(vol_args.name, name.c_str(), name_size); + vol_args.name[name_size-1] = '\0'; int r = ::ioctl(get_basedir_fd(), BTRFS_IOC_SNAP_CREATE, &vol_args); if (r < 0) { -- 2.47.3