btrfs-progs: fix overflows of ioctl name args

3 places where we copy pathnames into ioctl arguments were not limited to the destination name size, and could overflow. Use the new strncpy_null() macro to make this safe. Signed-off-by: Eric Sandeen <sandeen@redhat.com>
2013-01-25 13:27:48 -06:00 · 2013-01-25 13:27:48 -06:00 · 899ba61fa6
parent bcb2b73358
commit 899ba61fa6
2 changed files with 4 additions and 3 deletions
--- a/btrfs-vol.c
+++ b/btrfs-vol.c
@ -159,7 +159,7 @@ int main(int ac, char **av)
 	}
 	fd = dirfd(dirstream);
 	if (device)
-		strcpy(args.name, device);
+		strncpy_null(args.name, device);
 	else
 		args.name[0] = '\0';

--- a/cmds-receive.c
+++ b/cmds-receive.c
@ -43,6 +43,7 @@
 #include "ctree.h"
 #include "ioctl.h"
 #include "commands.h"
+#include "utils.h"
 #include "list.h"

 #include "send.h"
@ -165,7 +166,7 @@ static int process_subvol(const char *path, const u8 *uuid, u64 ctransid,
 	}

 	memset(&args_v1, 0, sizeof(args_v1));
-	strcpy(args_v1.name, path);
+	strncpy_null(args_v1.name, path);
 	ret = ioctl(r->mnt_fd, BTRFS_IOC_SUBVOL_CREATE, &args_v1);
 	if (ret < 0) {
 		ret = -errno;
@ -213,7 +214,7 @@ static int process_snapshot(const char *path, const u8 *uuid, u64 ctransid,
 	}

 	memset(&args_v2, 0, sizeof(args_v2));
-	strcpy(args_v2.name, path);
+	strncpy_null(args_v2.name, path);

 	r->parent_subvol = subvol_uuid_search(&r->sus, 0, parent_uuid,
 			parent_ctransid, NULL, subvol_search_by_received_uuid);