From 333d028407e8668c690d92ec8ea3fd5af626f486 Mon Sep 17 00:00:00 2001 From: Conrad Meyer Date: Wed, 11 May 2016 16:20:23 +0000 Subject: [PATCH] fsck_ffs: Don't overrun mount device buffer Maybe this case is impossible. Either way, when attempting to "/dev/"-prefix a non-global device name, check that we do not overrun the f_mntfromname buffer. In this case, truncating (with strlcpy or similar) would not be useful, since the f_mntfromname result of getmntpt() is passed directly to open(2) later. Reported by: Coverity CID: 1006789 Sponsored by: EMC / Isilon Storage Division --- sbin/fsck_ffs/main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sbin/fsck_ffs/main.c b/sbin/fsck_ffs/main.c index f2fb588f748..2260f68e761 100644 --- a/sbin/fsck_ffs/main.c +++ b/sbin/fsck_ffs/main.c @@ -644,6 +644,9 @@ getmntpt(const char *name) statfsp = &mntbuf[i]; ddevname = statfsp->f_mntfromname; if (*ddevname != '/') { + if (strlen(_PATH_DEV) + strlen(ddevname) + 1 > + sizeof(statfsp->f_mntfromname)) + continue; strcpy(device, _PATH_DEV); strcat(device, ddevname); strcpy(statfsp->f_mntfromname, device);