aboutsummaryrefslogtreecommitdiffstats
path: root/cmd/zdb
diff options
context:
space:
mode:
authorRichard Yao <[email protected]>2022-12-04 15:41:24 -0500
committerBrian Behlendorf <[email protected]>2022-12-08 14:15:15 -0800
commitf954ea26a615cecc8573bb439482d9fd88019854 (patch)
tree955eebba05f17d872eb9e32710bc0c8c20c196fc /cmd/zdb
parentd30db519af44b905fc52b8c8ba34f6378aa03470 (diff)
zdb: Handle theoretical buffer overflow when printing float
CodeQL pointed out that for extreme floating point values, `sprintf()` will overwrite a 32 character buffer. It cited 1e304 as an example, which causes `sprintf()` to print 308 characters. In practice, the numbers should never exceed 100, so this should not happen. To silence the warning and also handle unexpected situations, we change the code to use `snprintf()`. This was missed during my audit of our use of `sprintf()`, since I did not think to consider extreme floating point representations. It also really should not happen, so this change is purely defensive programming. This was found by CodeQL's cpp/overrunning-write-with-float check. Reviewed-by: Damian Szuberski <[email protected]> Reviewed-by: Alexander Motin <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Richard Yao <[email protected]> Closes #14264
Diffstat (limited to 'cmd/zdb')
-rw-r--r--cmd/zdb/zdb.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/cmd/zdb/zdb.c b/cmd/zdb/zdb.c
index 12301ae86..a3131ab04 100644
--- a/cmd/zdb/zdb.c
+++ b/cmd/zdb/zdb.c
@@ -3496,9 +3496,9 @@ dump_object(objset_t *os, uint64_t object, int verbosity,
zdb_nicenum(doi.doi_physical_blocks_512 << 9, asize, sizeof (asize));
zdb_nicenum(doi.doi_bonus_size, bonus_size, sizeof (bonus_size));
zdb_nicenum(doi.doi_dnodesize, dnsize, sizeof (dnsize));
- (void) sprintf(fill, "%6.2f", 100.0 * doi.doi_fill_count *
- doi.doi_data_block_size / (object == 0 ? DNODES_PER_BLOCK : 1) /
- doi.doi_max_offset);
+ (void) snprintf(fill, sizeof (fill), "%6.2f", 100.0 *
+ doi.doi_fill_count * doi.doi_data_block_size / (object == 0 ?
+ DNODES_PER_BLOCK : 1) / doi.doi_max_offset);
aux[0] = '\0';