From caf79c6073bed928653ed4a8c495c5f111973afb Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Mon, 21 Jul 2025 09:48:06 +0200 Subject: [PATCH] fsck.cramfs: check buffer size for memcpy() - reuse MAX_INPUT_NAMELEN - check path buffer size before memcpy() to the buffer - check for zero path before use it Signed-off-by: Karel Zak --- disk-utils/cramfs.h | 9 +++++++++ disk-utils/fsck.cramfs.c | 12 ++++++++---- disk-utils/mkfs.cramfs.c | 8 -------- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/disk-utils/cramfs.h b/disk-utils/cramfs.h index 322dbf38af..cab441c9d7 100644 --- a/disk-utils/cramfs.h +++ b/disk-utils/cramfs.h @@ -39,6 +39,15 @@ #define HOST_IS_BIG_ENDIAN (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) #endif +/* + * The longest file name component to allow for in the input directory tree. + * Ext2fs (and many others) allow up to 255 bytes. A couple of filesystems + * allow longer (e.g. smbfs 1024), but there isn't much use in supporting + * >255-byte names in the input directory tree given that such names get + * truncated to 255 bytes when written to cramfs. + */ +#define MAX_INPUT_NAMELEN 255 + /* * Reasonably terse representation of the inode data. */ diff --git a/disk-utils/fsck.cramfs.c b/disk-utils/fsck.cramfs.c index 8384bd5da1..f50bb27906 100644 --- a/disk-utils/fsck.cramfs.c +++ b/disk-utils/fsck.cramfs.c @@ -462,10 +462,11 @@ static void __attribute__((__noreturn__)) static void do_directory(char *path, struct cramfs_inode *i) { - int pathlen = strlen(path); + size_t pathlen = strlen(path); + size_t pathbufsz = pathlen + MAX_INPUT_NAMELEN + 1; int count = i->size; unsigned long offset = i->offset << 2; - char *newpath = xmalloc(pathlen + 256); + char *newpath = xmalloc(pathbufsz); if (offset == 0 && count != 0) errx(FSCK_EX_UNCORRECTED, @@ -503,10 +504,13 @@ static void do_directory(char *path, struct cramfs_inode *i) errx_path(_("illegal filename"), name, newlen); if (*extract_dir != '\0' && is_dangerous_filename(name, newlen)) errx_path(_("dangerous filename"), name, newlen); - memcpy(newpath + pathlen, name, newlen); - newpath[pathlen + newlen] = 0; if (newlen == 0) errx(FSCK_EX_UNCORRECTED, _("filename length is zero")); + if (pathlen + newlen + 1 > pathbufsz) + errx(FSCK_EX_UNCORRECTED, _("filename length is too large")); + + memcpy(newpath + pathlen, name, newlen); + newpath[pathlen + newlen] = '\0'; if ((pathlen + newlen) - strlen(newpath) > 3) errx(FSCK_EX_UNCORRECTED, _("bad filename length")); expand_fs(newpath, child); diff --git a/disk-utils/mkfs.cramfs.c b/disk-utils/mkfs.cramfs.c index 64d3a33715..4cef2bb3fc 100644 --- a/disk-utils/mkfs.cramfs.c +++ b/disk-utils/mkfs.cramfs.c @@ -244,14 +244,6 @@ identical_file(struct entry *e1, struct entry *e2){ return equal; } -/* - * The longest file name component to allow for in the input directory tree. - * Ext2fs (and many others) allow up to 255 bytes. A couple of filesystems - * allow longer (e.g. smbfs 1024), but there isn't much use in supporting - * >255-byte names in the input directory tree given that such names get - * truncated to 255 bytes when written to cramfs. - */ -#define MAX_INPUT_NAMELEN 255 static int find_identical_file(struct entry *orig, struct entry *new, loff_t *fslen_ub) { -- 2.47.2