From bd34e4e9421edee4289b8239e50c1e45a3d842fb Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 12 Aug 2009 21:16:30 +0200 Subject: [PATCH] sfdisk: guard against buffer overflow * daemon/sfdisk.c (sfdisk): Don't let outrageous "extra_flag" or "device" strings overflow a fixed-size buffer. --- daemon/sfdisk.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/daemon/sfdisk.c b/daemon/sfdisk.c index 1ec0c85..8a5a46b 100644 --- a/daemon/sfdisk.c +++ b/daemon/sfdisk.c @@ -48,10 +48,23 @@ sfdisk (const char *device, int n, int cyls, int heads, int sectors, sprintf (buf + strlen (buf), " -H %d", heads); if (sectors) sprintf (buf + strlen (buf), " -S %d", sectors); - if (extra_flag) + + /* The above are all guaranteed to fit in the fixed-size buffer. + However, extra_flag and device have no restrictions, + so we must check. */ + + if (extra_flag) { + if (strlen (buf) + 1 + strlen (extra_flag) >= sizeof buf) { + reply_with_error ("internal buffer overflow: sfdisk extra_flag too long"); + return -1; + } sprintf (buf + strlen (buf), " %s", extra_flag); + } - /* Safe because of RESOLVE_DEVICE above: */ + if (strlen (buf) + 1 + strlen (device) >= sizeof buf) { + reply_with_error ("internal buffer overflow: sfdisk device name too long"); + return -1; + } sprintf (buf + strlen (buf), " %s", device); if (verbose) -- 1.8.3.1