fsck.cramfs: check buffer size for memcpy()

- reuse MAX_INPUT_NAMELEN
- check path buffer size before memcpy() to the buffer
- check for zero path before use it

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/disk-utils/cramfs.h b/disk-utils/cramfs.h
index 322dbf38af0c79c6af64f28f3202366d26337088..cab441c9d7ffaad2f6eac9c3574fd61a112c95e7 100644 (file)
--- a/disk-utils/cramfs.h
+++ b/disk-utils/cramfs.h
@@ -39,6 +39,15 @@
 #define HOST_IS_BIG_ENDIAN (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)
 #endif
 
+/*
+ * The longest file name component to allow for in the input directory tree.
+ * Ext2fs (and many others) allow up to 255 bytes.  A couple of filesystems
+ * allow longer (e.g. smbfs 1024), but there isn't much use in supporting
+ * >255-byte names in the input directory tree given that such names get
+ * truncated to 255 bytes when written to cramfs.
+ */
+#define MAX_INPUT_NAMELEN 255
+
 /*
  * Reasonably terse representation of the inode data.
  */

diff --git a/disk-utils/fsck.cramfs.c b/disk-utils/fsck.cramfs.c
index 8384bd5da1bc64cd0dff535ab1e06d698d6cb17d..f50bb279065a2c3765843b9d7a7ac37713558db8 100644 (file)
--- a/disk-utils/fsck.cramfs.c
+++ b/disk-utils/fsck.cramfs.c
@@ -462,10 +462,11 @@ static void __attribute__((__noreturn__))
 
 static void do_directory(char *path, struct cramfs_inode *i)
 {
-       int pathlen = strlen(path);
+       size_t pathlen = strlen(path);
+       size_t pathbufsz = pathlen + MAX_INPUT_NAMELEN + 1;
        int count = i->size;
        unsigned long offset = i->offset << 2;
-       char *newpath = xmalloc(pathlen + 256);
+       char *newpath = xmalloc(pathbufsz);
 
        if (offset == 0 && count != 0)
                errx(FSCK_EX_UNCORRECTED,
@@ -503,10 +504,13 @@ static void do_directory(char *path, struct cramfs_inode *i)
                        errx_path(_("illegal filename"), name, newlen);
                if (*extract_dir != '\0' && is_dangerous_filename(name, newlen))
                        errx_path(_("dangerous filename"), name, newlen);
-               memcpy(newpath + pathlen, name, newlen);
-               newpath[pathlen + newlen] = 0;
                if (newlen == 0)
                        errx(FSCK_EX_UNCORRECTED, _("filename length is zero"));
+               if (pathlen + newlen + 1 > pathbufsz)
+                       errx(FSCK_EX_UNCORRECTED, _("filename length is too large"));
+
+               memcpy(newpath + pathlen, name, newlen);
+               newpath[pathlen + newlen] = '\0';
                if ((pathlen + newlen) - strlen(newpath) > 3)
                        errx(FSCK_EX_UNCORRECTED, _("bad filename length"));
                expand_fs(newpath, child);

diff --git a/disk-utils/mkfs.cramfs.c b/disk-utils/mkfs.cramfs.c
index 64d3a337155235cf247040cec7f82827ef0c1429..4cef2bb3fc94c4430809a5d62b0a4f0886612f2f 100644 (file)
--- a/disk-utils/mkfs.cramfs.c
+++ b/disk-utils/mkfs.cramfs.c
@@ -244,14 +244,6 @@ identical_file(struct entry *e1, struct entry *e2){
        return equal;
 }
 
-/*
- * The longest file name component to allow for in the input directory tree.
- * Ext2fs (and many others) allow up to 255 bytes.  A couple of filesystems
- * allow longer (e.g. smbfs 1024), but there isn't much use in supporting
- * >255-byte names in the input directory tree given that such names get
- * truncated to 255 bytes when written to cramfs.
- */
-#define MAX_INPUT_NAMELEN 255
 
 static int find_identical_file(struct entry *orig, struct entry *new, loff_t *fslen_ub)
 {