summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrian Behlendorf <[email protected]>2009-03-12 15:20:26 -0700
committerBrian Behlendorf <[email protected]>2009-03-12 15:20:26 -0700
commitf1f9c50dd9e918afbc222dbdc7ee11fc3b3fa279 (patch)
tree0f1e48e0fe01110fdcc105efd3f9c71d093a4e18
parentd164b2093561a9771db07346e6fffc9ca19427a2 (diff)
Add fix-strncat branch which corrects a buffer overrun.
-rw-r--r--.topdeps1
-rw-r--r--.topmsg8
-rw-r--r--lib/libzfs/libzfs_sendrecv.c2
3 files changed, 10 insertions, 1 deletions
diff --git a/.topdeps b/.topdeps
new file mode 100644
index 000000000..1f7391f92
--- /dev/null
+++ b/.topdeps
@@ -0,0 +1 @@
+master
diff --git a/.topmsg b/.topmsg
new file mode 100644
index 000000000..1a1a56687
--- /dev/null
+++ b/.topmsg
@@ -0,0 +1,8 @@
+From: Brian Behlendorf <[email protected]>
+Subject: [PATCH] fix strncat
+
+This look like a typo. The intention was to use strlcat() however
+strncat() was used instead accidentally this may lead to a buffer
+overflow. This was caught by gcc -D_FORTIFY_SOURCE=2.
+
+Signed-off-by: Brian Behlendorf <[email protected]>
diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c
index 5a2e2aeb6..ab6977e9e 100644
--- a/lib/libzfs/libzfs_sendrecv.c
+++ b/lib/libzfs/libzfs_sendrecv.c
@@ -1642,7 +1642,7 @@ zfs_receive_one(libzfs_handle_t *hdl, int infd, const char *tosnap,
* Determine name of destination snapshot, store in zc_value.
*/
(void) strcpy(zc.zc_value, tosnap);
- (void) strncat(zc.zc_value, drrb->drr_toname+choplen,
+ (void) strlcat(zc.zc_value, drrb->drr_toname+choplen,
sizeof (zc.zc_value));
if (!zfs_name_valid(zc.zc_value, ZFS_TYPE_SNAPSHOT)) {
zcmd_free_nvlists(&zc);