libfstools: fit: improve fit_volume_find string handling

While string are hardcoded and it's impossible to overflow it, make the
string handling more secure to mute Coverity Scan report by using
strncpy and adding a define for the max size of the DEVPATHSTR.

Fix Coverity Scan CID 1586643:  Security best practices violations
(STRING_OVERFLOW).

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>

diff --git a/libfstools/fit.c b/libfstools/fit.c
index b0da854a7623f087875bf233db53c5881124fc50..a8f0c6648ad30ac81821ec388a0505c444b4f32c 100644 (file)
--- a/libfstools/fit.c
+++ b/libfstools/fit.c
@@ -3,6 +3,7 @@
 #include "common.h"
 
 #define BUFLEN 64
+#define DEVPATHSTR_SIZE 15
 
 static const char *const fit0 = "/dev/fit0";
 static const char *const fitrw = "/dev/fitrw";
@@ -15,7 +16,7 @@ struct devpath {
 struct fit_volume {
        struct volume v;
        union {
-               char devpathstr[16];
+               char devpathstr[DEVPATHSTR_SIZE+1];
                struct devpath devpath;
        } dev;
 };
@@ -79,7 +80,7 @@ static struct volume *fit_volume_find(char *name)
        if (!p)
                return NULL;
 
-       strcpy(p->dev.devpathstr, fname);
+       strncpy(p->dev.devpathstr, fname, DEVPATHSTR_SIZE);
        p->v.drv = &fit_driver;
        p->v.blk = p->dev.devpathstr;
        p->v.name = name;