From bd34e4e9421edee4289b8239e50c1e45a3d842fb Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Wed, 12 Aug 2009 21:16:30 +0200
Subject: [PATCH] sfdisk: guard against buffer overflow

* daemon/sfdisk.c (sfdisk): Don't let outrageous "extra_flag"
or "device" strings overflow a fixed-size buffer.
---
 daemon/sfdisk.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/daemon/sfdisk.c b/daemon/sfdisk.c
index 1ec0c85..8a5a46b 100644
--- a/daemon/sfdisk.c
+++ b/daemon/sfdisk.c
@@ -48,10 +48,23 @@ sfdisk (const char *device, int n, int cyls, int heads, int sectors,
     sprintf (buf + strlen (buf), " -H %d", heads);
   if (sectors)
     sprintf (buf + strlen (buf), " -S %d", sectors);
-  if (extra_flag)
+
+  /* The above are all guaranteed to fit in the fixed-size buffer.
+     However, extra_flag and device have no restrictions,
+     so we must check.  */
+
+  if (extra_flag) {
+    if (strlen (buf) + 1 + strlen (extra_flag) >= sizeof buf) {
+      reply_with_error ("internal buffer overflow: sfdisk extra_flag too long");
+      return -1;
+    }
     sprintf (buf + strlen (buf), " %s", extra_flag);
+  }
 
-  /* Safe because of RESOLVE_DEVICE above: */
+  if (strlen (buf) + 1 + strlen (device) >= sizeof buf) {
+    reply_with_error ("internal buffer overflow: sfdisk device name too long");
+    return -1;
+  }
   sprintf (buf + strlen (buf), " %s", device);
 
   if (verbose)
-- 
1.8.3.1