From d47909ea1e5f32cfc9f756a04edc052717c98ae6 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Wed, 12 May 2021 17:07:28 +0100 Subject: [PATCH] libblkid-tiny: fix buffer overflow Copying device name into a fixed-length buffer is problematic as the name can be longer than the buffer, resulting in subsequent fields getting corrupted and potentially even worse things. Drop strcpy of device name and use of the copied value as it is known anyway. Before this fix: /dev/mapper/owrt--volumes--e093cc66-rw_test: UUID="c66-rw_test" LABEL="test" VERSION="1.14" TYPE="f2fs" After this fix: /dev/mapper/owrt--volumes--e093cc66-rw_test: UUID="5eda3e52-3427-493a-a6d6-ffdb5a5836fd" LABEL="test" VERSION="1.14" TYPE="f2fs" Signed-off-by: Daniel Golle --- libblkid-tiny/libblkid-tiny.c | 1 - probe.c | 6 ++---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/libblkid-tiny/libblkid-tiny.c b/libblkid-tiny/libblkid-tiny.c index 52470ca..18db4ef 100644 --- a/libblkid-tiny/libblkid-tiny.c +++ b/libblkid-tiny/libblkid-tiny.c @@ -226,7 +226,6 @@ int probe_block(char *block, struct blkid_struct_probe *pr) DEBUG("probing %s\n", idinfos[i]->name); pr->err = idinfos[i]->probefunc(pr, mag); pr->id = idinfos[i]; - strcpy(pr->dev, block); if (!pr->err) break; } diff --git a/probe.c b/probe.c index 3ed7a7d..ab1bc61 100644 --- a/probe.c +++ b/probe.c @@ -31,16 +31,14 @@ probe_path_tiny(const char *path) if (probe_block((char *)path, pr) == 0 && pr->id && !pr->err) { info = calloc_a(sizeof(*info), &type, strlen(pr->id->name) + 1, - &dev, strlen(pr->dev) + 1, + &dev, strlen(path) + 1, &uuid, strlen(pr->uuid) + 1, &label, strlen(pr->label) + 1, &version, strlen(pr->version) + 1); if (info) { info->type = strcpy(type, pr->id->name); - - if (pr->dev[0]) - info->dev = strcpy(dev, pr->dev); + info->dev = strcpy(dev, path); if (pr->uuid[0]) info->uuid = strcpy(uuid, pr->uuid); -- 2.30.2