fsck: use xasprintf to avoid buffer overruns with an insane fs type

This prevents a crash when running the command:

fsck -t AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /dev/sda

Reported-by: Hornseth_Brenan@bah.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/disk-utils/fsck.c b/disk-utils/fsck.c
index 58fd8ac5994ef81f457d386b44b4c7e17a531850..8a07bc272dadd2eb73b609faf4aa129d84964d6c 100644 (file)
--- a/disk-utils/fsck.c
+++ b/disk-utils/fsck.c
@@ -544,20 +544,20 @@ static char *find_fsck(const char *type)
 {
        char *s;
        const char *tpl;
-       static char prog[256];
+       static char *prog = NULL;
        char *p = xstrdup(fsck_path);
 
        /* Are we looking for a program or just a type? */
        tpl = (strncmp(type, "fsck.", 5) ? "%s/fsck.%s" : "%s/%s");
 
        for(s = strtok(p, ":"); s; s = strtok(NULL, ":")) {
-               sprintf(prog, tpl, s, type);
+               xasprintf(&prog, tpl, s, type);
                if (access(prog, X_OK) == 0)
                        break;
+               free(prog); prog = NULL;
        }
        free(p);
-
-       return(s ? prog : NULL);
+       return(prog);
 }
 
 static int progress_active(void)
@@ -885,7 +885,7 @@ static int wait_many(int flags)
  */
 static int fsck_device(struct libmnt_fs *fs, int interactive)
 {
-       char progname[80], *progpath;
+       char *progname, *progpath;
        const char *type;
        int retval;
 
@@ -902,9 +902,10 @@ static int fsck_device(struct libmnt_fs *fs, int interactive)
        else
                type = DEFAULT_FSTYPE;
 
-       sprintf(progname, "fsck.%s", type);
+       xasprintf(&progname, "fsck.%s", type);
        progpath = find_fsck(progname);
        if (progpath == NULL) {
+               free(progname);
                if (fs_check_required(type)) {
                        retval = ENOENT;
                        goto err;
@@ -914,6 +915,8 @@ static int fsck_device(struct libmnt_fs *fs, int interactive)
 
        num_running++;
        retval = execute(progname, progpath, type, fs, interactive);
+       free(progname);
+       free(progpath);
        if (retval) {
                num_running--;
                goto err;