From 03fdd4f9dcd5389e469811a7b29c799dee4e330d Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Wed, 1 Jan 2025 11:25:16 -0800 Subject: [PATCH] libnpfs: catch overflow in np_deserialize_p9dirent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Problem: compilation of diodls.c fails due to a potential string overflow when building a test deb. In function ‘snprintf’, inlined from ‘np_deserialize_p9dirent’ at ../libnpfs/np.c:1712:3, inlined from ‘npc_readdir_r’ at ../libnpclient/readdir.c:115:8, inlined from ‘lsdir’ at diodls.c:240:14: /usr/include/x86_64-linux-gnu/bits/stdio2.h:71:10: error: ‘__builtin___snprintf_chk’ specified bound 4097 exceeds destination size 256 [-Werror=stringop-overflow=] 71 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^ lto1: all warnings being treated as errors Add an explicit check for the overflow and use memcpy() instead of snprintf("%.*s") here. --- src/libnpfs/np.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/libnpfs/np.c b/src/libnpfs/np.c index 5ccd0af2..b1bf42d2 100644 --- a/src/libnpfs/np.c +++ b/src/libnpfs/np.c @@ -1704,14 +1704,11 @@ np_deserialize_p9dirent(Npqid *qid, u64 *offset, u8 *type, *type = buf_get_int8(bufp); buf_get_str(bufp, &s9); - if (s9.len > 0) - snprintf (name, namelen, "%.*s", s9.len, s9.str); - else - name[0] = '\0'; - - - if (buf_check_overflow (bufp)) + if (buf_check_overflow (bufp) || s9.len >= namelen) return 0; + memcpy (name, s9.str, s9.len); + name[s9.len] = '\0'; + return bufp->p - bufp->sp; }