From: Daniel Golle Date: Wed, 12 May 2021 16:07:28 +0000 (+0100) Subject: libblkid-tiny: fix buffer overflow X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=d47909ea1e5f32cfc9f756a04edc052717c98ae6;p=project%2Ffstools.git libblkid-tiny: fix buffer overflow Copying device name into a fixed-length buffer is problematic as the name can be longer than the buffer, resulting in subsequent fields getting corrupted and potentially even worse things. Drop strcpy of device name and use of the copied value as it is known anyway. Before this fix: /dev/mapper/owrt--volumes--e093cc66-rw_test: UUID="c66-rw_test" LABEL="test" VERSION="1.14" TYPE="f2fs" After this fix: /dev/mapper/owrt--volumes--e093cc66-rw_test: UUID="5eda3e52-3427-493a-a6d6-ffdb5a5836fd" LABEL="test" VERSION="1.14" TYPE="f2fs" Signed-off-by: Daniel Golle --- diff --git a/libblkid-tiny/libblkid-tiny.c b/libblkid-tiny/libblkid-tiny.c index 52470ca..18db4ef 100644 --- a/libblkid-tiny/libblkid-tiny.c +++ b/libblkid-tiny/libblkid-tiny.c @@ -226,7 +226,6 @@ int probe_block(char *block, struct blkid_struct_probe *pr) DEBUG("probing %s\n", idinfos[i]->name); pr->err = idinfos[i]->probefunc(pr, mag); pr->id = idinfos[i]; - strcpy(pr->dev, block); if (!pr->err) break; } diff --git a/probe.c b/probe.c index 3ed7a7d..ab1bc61 100644 --- a/probe.c +++ b/probe.c @@ -31,16 +31,14 @@ probe_path_tiny(const char *path) if (probe_block((char *)path, pr) == 0 && pr->id && !pr->err) { info = calloc_a(sizeof(*info), &type, strlen(pr->id->name) + 1, - &dev, strlen(pr->dev) + 1, + &dev, strlen(path) + 1, &uuid, strlen(pr->uuid) + 1, &label, strlen(pr->label) + 1, &version, strlen(pr->version) + 1); if (info) { info->type = strcpy(type, pr->id->name); - - if (pr->dev[0]) - info->dev = strcpy(dev, pr->dev); + info->dev = strcpy(dev, path); if (pr->uuid[0]) info->uuid = strcpy(uuid, pr->uuid);