diff options
author | Brian Behlendorf <[email protected]> | 2009-03-12 15:20:26 -0700 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2009-03-12 15:20:26 -0700 |
commit | f1f9c50dd9e918afbc222dbdc7ee11fc3b3fa279 (patch) | |
tree | 0f1e48e0fe01110fdcc105efd3f9c71d093a4e18 | |
parent | d164b2093561a9771db07346e6fffc9ca19427a2 (diff) |
Add fix-strncat branch which corrects a buffer overrun.
-rw-r--r-- | .topdeps | 1 | ||||
-rw-r--r-- | .topmsg | 8 | ||||
-rw-r--r-- | lib/libzfs/libzfs_sendrecv.c | 2 |
3 files changed, 10 insertions, 1 deletions
diff --git a/.topdeps b/.topdeps new file mode 100644 index 000000000..1f7391f92 --- /dev/null +++ b/.topdeps @@ -0,0 +1 @@ +master diff --git a/.topmsg b/.topmsg new file mode 100644 index 000000000..1a1a56687 --- /dev/null +++ b/.topmsg @@ -0,0 +1,8 @@ +From: Brian Behlendorf <[email protected]> +Subject: [PATCH] fix strncat + +This look like a typo. The intention was to use strlcat() however +strncat() was used instead accidentally this may lead to a buffer +overflow. This was caught by gcc -D_FORTIFY_SOURCE=2. + +Signed-off-by: Brian Behlendorf <[email protected]> diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c index 5a2e2aeb6..ab6977e9e 100644 --- a/lib/libzfs/libzfs_sendrecv.c +++ b/lib/libzfs/libzfs_sendrecv.c @@ -1642,7 +1642,7 @@ zfs_receive_one(libzfs_handle_t *hdl, int infd, const char *tosnap, * Determine name of destination snapshot, store in zc_value. */ (void) strcpy(zc.zc_value, tosnap); - (void) strncat(zc.zc_value, drrb->drr_toname+choplen, + (void) strlcat(zc.zc_value, drrb->drr_toname+choplen, sizeof (zc.zc_value)); if (!zfs_name_valid(zc.zc_value, ZFS_TYPE_SNAPSHOT)) { zcmd_free_nvlists(&zc); |