libc/sys-minix/mount.c: fix overflow

Fix a bug where a filesystem label could overflow the reserved buffer.
This was already possible with 32 bits values, but is more proeminent
with dev_t being 64 bits.

Change-Id: Idc04ed355d1dd92b7a8ce4699de832661a5c4ccd

include/minix/mount.h

@@ -9,6 +9,8 @@
 #define MS_REUSE	0x001	/* Tell RS to try reusing binary from memory */
 #define MS_EXISTING	0x002	/* Tell mount to use already running server */
 
+#define MNT_LABEL_LEN	16	/* Length of fs label including nul */
+
 /* Legacy definitions. */
 #define MNTNAMELEN	16	/* Length of fs type name including nul */
 #define MNTFLAGLEN	64	/* Length of flags string including nul */

lib/libc/sys-minix/mount.c

@@ -39,7 +39,7 @@ int mountflags, srvflags;
   int r;
   message m;
   struct stat statbuf;
-  char label[16];
+  char label[MNT_LABEL_LEN];
   char path[PATH_MAX];
   char cmd[200];
   char *p;
@@ -75,24 +75,24 @@ int mountflags, srvflags;
 			errno = EINVAL;
 			return -1;
 		}
-		sprintf(label, "fs_%.12s", p);
+		snprintf(label, MNT_LABEL_LEN, "fs_%.12s", p);
 	} else {
 		/* check for a rslabel option in the arguments and try to use 
 		 * that. 
 		 */
 		rslabel = find_rslabel(args);
 		if (rslabel != NULL){
-			snprintf(label,16,"%s",rslabel);
+			snprintf(label, MNT_LABEL_LEN, "%s", rslabel);
 			free(rslabel);
 		} else {
 			if (stat(name, &statbuf) < 0) return -1;
-			sprintf(label, "fs_%04x%llx", statbuf.st_dev, statbuf.st_ino);
+			snprintf(label, MNT_LABEL_LEN, "fs_%llx_%llx", statbuf.st_dev, statbuf.st_ino);
 		}
 	}
   } else {
 		/* label to long? */
-		if (strlen(type) < 16) {
-			sprintf(label, "%s", type);
+		if (strlen(type) < MNT_LABEL_LEN) {
+			snprintf(label, MNT_LABEL_LEN, "%s", type);
 		} else {
 			errno = ENOMEM;
 			return -1;
@@ -174,7 +174,7 @@ int umount(name, srvflags)
 const char *name;
 int srvflags;
 {
-  char label[16];
+  char label[MNT_LABEL_LEN];
   message m;
   int r;