From 6063fecad207d13981dea3e20f89f7ac4c3fb26f Mon Sep 17 00:00:00 2001
From: Eric Sandeen <sandeen@redhat.com>
Date: Sat, 26 Jan 2013 22:40:29 +0000
Subject: [PATCH] xfs_fsr: guard against path string overflows

gettmpname() and getparent() blindly copy strings
into a target array; be sure we limit the copy to
the size of the target and null terminate it.

I don't see a way to get here with a too-long name,
since most paths try to open or stat the file already,
but it can't hurt to be defensive.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Mark Tinguely <tinguely@sgi.com>
---
 fsr/xfs_fsr.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fsr/xfs_fsr.c b/fsr/xfs_fsr.c
index 2db222498..843f57d70 100644
--- a/fsr/xfs_fsr.c
+++ b/fsr/xfs_fsr.c
@@ -1452,7 +1452,8 @@ gettmpname(char *fname)
 
 	sprintf(sbuf, "/.fsr%d", getpid());
 
-	strcpy(buf, fname);
+	strncpy(buf, fname, PATH_MAX);
+	buf[PATH_MAX] = '\0';
 	ptr = strrchr(buf, '/');
 	if (ptr) {
 		*ptr = '\0';
@@ -1476,7 +1477,8 @@ getparent(char *fname)
 	static char	buf[PATH_MAX+1];
 	char		*ptr;
 
-	strcpy(buf, fname);
+	strncpy(buf, fname, PATH_MAX);
+	buf[PATH_MAX] = '\0';
 	ptr = strrchr(buf, '/');
 	if (ptr) {
 		if (ptr == &buf[0])
-- 
2.47.2