Fix potential buffer overflow in zpool command

The ZPOOL_SCRIPTS_PATH environment variable can be passed here. This allows for arbitrarily long strings to be passed to sprintf(), which can overflow the buffer. I missed this in my earlier audit of the codebase. CodeQL's cpp/unbounded-write check caught this. Reviewed-by: Damian Szuberski <[email protected]> Reviewed-by: Alexander Motin <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Richard Yao <[email protected]> Closes #14264
author: Richard Yao <[email protected]> 2022-12-03 21:43:33 -0500
committer: Brian Behlendorf <[email protected]> 2022-12-08 14:14:30 -0800
commit: ba87ed14103dd4b5e2cd40c347c4a653950ced16 (patch)
tree: f8aafa105495274ed5479689fa2e5afcf6268d4e /cmd
parent: ecccaede680cc2390181342e3036478fbb9915fd (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/cmd/zpool/zpool_main.c b/cmd/zpool/zpool_main.c
index 0b55bf21f..0872671f4 100644
--- a/cmd/zpool/zpool_main.c
+++ b/cmd/zpool/zpool_main.c
@@ -5429,7 +5429,13 @@ print_zpool_dir_scripts(char *dirpath)
 	if ((dir = opendir(dirpath)) != NULL) {
 		/* print all the files and directories within directory */
 		while ((ent = readdir(dir)) != NULL) {
-			sprintf(fullpath, "%s/%s", dirpath, ent->d_name);
+			if (snprintf(fullpath, sizeof (fullpath), "%s/%s",
+			    dirpath, ent->d_name) >= sizeof (fullpath)) {
+				(void) fprintf(stderr,
+				    gettext("internal error: "
+				    "ZPOOL_SCRIPTS_PATH too large.\n"));
+				exit(1);
+			}
 
 			/* Print the scripts */
 			if (stat(fullpath, &dir_stat) == 0)
author	Richard Yao <[email protected]>	2022-12-03 21:43:33 -0500
committer	Brian Behlendorf <[email protected]>	2022-12-08 14:14:30 -0800
commit	ba87ed14103dd4b5e2cd40c347c4a653950ced16 (patch)
tree	f8aafa105495274ed5479689fa2e5afcf6268d4e /cmd
parent	ecccaede680cc2390181342e3036478fbb9915fd (diff)