libc/sys-minix/mount.c: fix overflow

Fix a bug where a filesystem label could overflow the reserved buffer.
This was already possible with 32 bits values, but is more proeminent
with dev_t being 64 bits.

Change-Id: Idc04ed355d1dd92b7a8ce4699de832661a5c4ccd
This commit is contained in:
Lionel Sambuc 2013-11-19 15:26:47 +01:00
parent c9072ba0bb
commit a00e322bea
2 changed files with 9 additions and 7 deletions

View file

@ -9,6 +9,8 @@
#define MS_REUSE 0x001 /* Tell RS to try reusing binary from memory */
#define MS_EXISTING 0x002 /* Tell mount to use already running server */
#define MNT_LABEL_LEN 16 /* Length of fs label including nul */
/* Legacy definitions. */
#define MNTNAMELEN 16 /* Length of fs type name including nul */
#define MNTFLAGLEN 64 /* Length of flags string including nul */

View file

@ -39,7 +39,7 @@ int mountflags, srvflags;
int r;
message m;
struct stat statbuf;
char label[16];
char label[MNT_LABEL_LEN];
char path[PATH_MAX];
char cmd[200];
char *p;
@ -75,24 +75,24 @@ int mountflags, srvflags;
errno = EINVAL;
return -1;
}
sprintf(label, "fs_%.12s", p);
snprintf(label, MNT_LABEL_LEN, "fs_%.12s", p);
} else {
/* check for a rslabel option in the arguments and try to use
* that.
*/
rslabel = find_rslabel(args);
if (rslabel != NULL){
snprintf(label,16,"%s",rslabel);
snprintf(label, MNT_LABEL_LEN, "%s", rslabel);
free(rslabel);
} else {
if (stat(name, &statbuf) < 0) return -1;
sprintf(label, "fs_%04x%llx", statbuf.st_dev, statbuf.st_ino);
snprintf(label, MNT_LABEL_LEN, "fs_%llx_%llx", statbuf.st_dev, statbuf.st_ino);
}
}
} else {
/* label to long? */
if (strlen(type) < 16) {
sprintf(label, "%s", type);
if (strlen(type) < MNT_LABEL_LEN) {
snprintf(label, MNT_LABEL_LEN, "%s", type);
} else {
errno = ENOMEM;
return -1;
@ -174,7 +174,7 @@ int umount(name, srvflags)
const char *name;
int srvflags;
{
char label[16];
char label[MNT_LABEL_LEN];
message m;
int r;