libblkid: Fix debug OOB read in zfs_process_value

It is possible to trigger an out of boundary read in zfs_process_value
if debugging is activated.

The debug message erroneously uses %*s (field width) instead of %.*s
(precision), which might lead to string output going past the boundary
of memory mapped buffer.

Fix this with proper casting: The value is always smaller than
VDEV_PHYS_SIZE (112 KB) at this stage, easily fitting into int.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
index 543bc4eb28c29686009dfb19f9e349b65002e036..0bec21d9de45ddb9683f5204accca073f067d4bc 100644 (file)
--- a/libblkid/src/superblocks/zfs.c
+++ b/libblkid/src/superblocks/zfs.c
@@ -115,8 +115,8 @@ static bool zfs_process_value(blkid_probe pr, const char *name, size_t namelen,
                if ((uint64_t)nvs_strlen + sizeof(*nvs) > max_value_size)
                        return (false);
 
-               DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s",
-                                      type, nvs_strlen, nvs->nvs_string));
+               DBG(LOWPROBE, ul_debug("nvstring: type %u string %.*s",
+                                      type, (int)nvs_strlen, nvs->nvs_string));
 
                blkid_probe_set_label(pr, nvs->nvs_string, nvs_strlen);
                (*found)++;
@@ -227,8 +227,8 @@ static bool zfs_extract_guid_name(blkid_probe pr, void *buf, size_t size, bool f
                        return (false);
 
                DBG(LOWPROBE,
-                   ul_debug("nvlist: size %u, namelen %u, name %*s",
-                            nvp_size, nvp_namelen, nvp_namelen,
+                   ul_debug("nvlist: size %u, namelen %u, name %.*s",
+                            nvp_size, nvp_namelen, (int)nvp_namelen,
                             nvp->nvp_name));
 
                max_value_size = nvp_size - (namesize + sizeof(*nvp));