diff options
author | Niels de Vos <ndevos@redhat.com> | 2017-04-10 10:29:15 +0200 |
---|---|---|
committer | Niels de Vos <ndevos@redhat.com> | 2017-04-18 04:59:30 -0400 |
commit | 4c623481986a4697fe7bbb3f553b877d38650422 (patch) | |
tree | f33f09f8332f66b9204d7b8af1c4641903ba86c8 /api | |
parent | 94196dee1f1b0e22faab69cd9b1b1c70ba3d2f6f (diff) |
gfapi: prevent off-by-one buffer overrun in glfs_sysrq()
Coverity found a potential buffer overrun in the strncat() usage for
logging the help message with glfs_sysrq(). This seems to be an
off-by-one mistake and should be addressed by reducing the initial size
of the remainder calculation.
Change-Id: Ide14add1cb28e5200d2c0df6b3a5154999ef3ca9
BUG: 789278
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: https://review.gluster.org/17024
Smoke: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Amar Tumballi <amarts@redhat.com>
Diffstat (limited to 'api')
-rw-r--r-- | api/src/glfs.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/api/src/glfs.c b/api/src/glfs.c index bd59027236a..10af6c78e17 100644 --- a/api/src/glfs.c +++ b/api/src/glfs.c @@ -1477,7 +1477,6 @@ pub_glfs_sysrq (struct glfs *fs, char sysrq) glusterfs_ctx_t *ctx = NULL; int ret = 0; char msg[1024] = {0,}; /* should not exceed 1024 chars */ - size_t rem = sizeof (msg); if (!fs || !fs->ctx) { ret = -1; @@ -1490,12 +1489,13 @@ pub_glfs_sysrq (struct glfs *fs, char sysrq) switch (sysrq) { case GLFS_SYSRQ_HELP: { - struct glfs_sysrq_help *usage; + struct glfs_sysrq_help *usage = NULL; for (usage = glfs_sysrq_help; usage->sysrq; usage++) { - strncat (msg, usage->msg, rem); - rem -= strlen (usage->msg); - strncat (msg, " ", rem--); + snprintf (msg + strlen (msg), /* append to msg */ + sizeof (msg) - strlen (msg) - 2, + /* - 2 for the " " + terminating \0 */ + " %s", usage->msg); } /* not really an 'error', but make sure it gets logged */ |