X-Git-Url: http://git.annexia.org/?p=libguestfs.git;a=blobdiff_plain;f=daemon%2Fsfdisk.c;fp=daemon%2Fsfdisk.c;h=8a5a46b08b772bdbe070c23a488554053fafe441;hp=1ec0c859b61b9eb80e453f3d58b85f2fe258feb8;hb=bd34e4e9421edee4289b8239e50c1e45a3d842fb;hpb=a0bb8e69de762aa88144c7a4825e13c446c2bbcb

diff --git a/daemon/sfdisk.c b/daemon/sfdisk.c
index 1ec0c85..8a5a46b 100644
--- a/daemon/sfdisk.c
+++ b/daemon/sfdisk.c
@@ -48,10 +48,23 @@ sfdisk (const char *device, int n, int cyls, int heads, int sectors,
     sprintf (buf + strlen (buf), " -H %d", heads);
   if (sectors)
     sprintf (buf + strlen (buf), " -S %d", sectors);
-  if (extra_flag)
+
+  /* The above are all guaranteed to fit in the fixed-size buffer.
+     However, extra_flag and device have no restrictions,
+     so we must check.  */
+
+  if (extra_flag) {
+    if (strlen (buf) + 1 + strlen (extra_flag) >= sizeof buf) {
+      reply_with_error ("internal buffer overflow: sfdisk extra_flag too long");
+      return -1;
+    }
     sprintf (buf + strlen (buf), " %s", extra_flag);
+  }
 
-  /* Safe because of RESOLVE_DEVICE above: */
+  if (strlen (buf) + 1 + strlen (device) >= sizeof buf) {
+    reply_with_error ("internal buffer overflow: sfdisk device name too long");
+    return -1;
+  }
   sprintf (buf + strlen (buf), " %s", device);
 
   if (verbose)