From 899ba61fa695ae8e58599da25d174afa392fd552 Mon Sep 17 00:00:00 2001 From: Eric Sandeen Date: Fri, 25 Jan 2013 13:27:48 -0600 Subject: [PATCH] btrfs-progs: fix overflows of ioctl name args 3 places where we copy pathnames into ioctl arguments were not limited to the destination name size, and could overflow. Use the new strncpy_null() macro to make this safe. Signed-off-by: Eric Sandeen --- btrfs-vol.c | 2 +- cmds-receive.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/btrfs-vol.c b/btrfs-vol.c index ad824bd8..3cc1c327 100644 --- a/btrfs-vol.c +++ b/btrfs-vol.c @@ -159,7 +159,7 @@ int main(int ac, char **av) } fd = dirfd(dirstream); if (device) - strcpy(args.name, device); + strncpy_null(args.name, device); else args.name[0] = '\0'; diff --git a/cmds-receive.c b/cmds-receive.c index e6291744..6688d0c8 100644 --- a/cmds-receive.c +++ b/cmds-receive.c @@ -43,6 +43,7 @@ #include "ctree.h" #include "ioctl.h" #include "commands.h" +#include "utils.h" #include "list.h" #include "send.h" @@ -165,7 +166,7 @@ static int process_subvol(const char *path, const u8 *uuid, u64 ctransid, } memset(&args_v1, 0, sizeof(args_v1)); - strcpy(args_v1.name, path); + strncpy_null(args_v1.name, path); ret = ioctl(r->mnt_fd, BTRFS_IOC_SUBVOL_CREATE, &args_v1); if (ret < 0) { ret = -errno; @@ -213,7 +214,7 @@ static int process_snapshot(const char *path, const u8 *uuid, u64 ctransid, } memset(&args_v2, 0, sizeof(args_v2)); - strcpy(args_v2.name, path); + strncpy_null(args_v2.name, path); r->parent_subvol = subvol_uuid_search(&r->sus, 0, parent_uuid, parent_ctransid, NULL, subvol_search_by_received_uuid);