lscpu: theoretical buffer overflow

there is a theoretical buffer overflow possible in the hypervisor
parsing code of lscpu.  It would require a proc entry to return way more
than expected so it's no high priority.  But better be safe than sorry.

At first I thought about switching to fgets but there is another
code file that adds a format specifier.  The diff is less intrusive
that way, too.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/sys-utils/lscpu.c b/sys-utils/lscpu.c
index ef594108833fa94c36c7e3907640daea68f386fb..c272dc238ac58fa9c0d90d75fcfa719c6d53a8f4 100644 (file)
--- a/sys-utils/lscpu.c
+++ b/sys-utils/lscpu.c
@@ -621,7 +621,7 @@ read_hypervisor_powerpc(struct lscpu_desc *desc)
                fd = path_fopen("r", 0, _PATH_PROC_DEVICETREE "/ibm,partition-name");
                if (fd) {
                        char buf[256];
-                       if (fscanf(fd, "%s", buf) == 1 && !strcmp(buf, "full"))
+                       if (fscanf(fd, "%255s", buf) == 1 && !strcmp(buf, "full"))
                                desc->virtype = VIRT_NONE;
                        fclose(fd);
                }
@@ -757,7 +757,7 @@ read_hypervisor(struct lscpu_desc *desc, struct lscpu_modifier *mod)
                if (fd) {
                        char buf[256];
 
-                       if (fscanf(fd, "%s", buf) == 1 &&
+                       if (fscanf(fd, "%255s", buf) == 1 &&
                            !strcmp(buf, "control_d"))
                                dom0 = 1;
                        fclose(fd);