diff options
| author | Jim Meyering <meyering@redhat.com> | 2009-08-12 21:16:30 +0200 |
|---|---|---|
| committer | Jim Meyering <meyering@redhat.com> | 2009-08-13 14:45:34 +0200 |
| commit | bd34e4e9421edee4289b8239e50c1e45a3d842fb (patch) | |
| tree | 9bc17c982a2bb2204c6b4e4006459550047d0a18 /daemon | |
| parent | a0bb8e69de762aa88144c7a4825e13c446c2bbcb (diff) | |
| download | libguestfs-bd34e4e9421edee4289b8239e50c1e45a3d842fb.tar.gz libguestfs-bd34e4e9421edee4289b8239e50c1e45a3d842fb.tar.xz libguestfs-bd34e4e9421edee4289b8239e50c1e45a3d842fb.zip | |
sfdisk: guard against buffer overflow
* daemon/sfdisk.c (sfdisk): Don't let outrageous "extra_flag"
or "device" strings overflow a fixed-size buffer.
Diffstat (limited to 'daemon')
| -rw-r--r-- | daemon/sfdisk.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/daemon/sfdisk.c b/daemon/sfdisk.c index 1ec0c859..8a5a46b0 100644 --- a/daemon/sfdisk.c +++ b/daemon/sfdisk.c @@ -48,10 +48,23 @@ sfdisk (const char *device, int n, int cyls, int heads, int sectors, sprintf (buf + strlen (buf), " -H %d", heads); if (sectors) sprintf (buf + strlen (buf), " -S %d", sectors); - if (extra_flag) + + /* The above are all guaranteed to fit in the fixed-size buffer. + However, extra_flag and device have no restrictions, + so we must check. */ + + if (extra_flag) { + if (strlen (buf) + 1 + strlen (extra_flag) >= sizeof buf) { + reply_with_error ("internal buffer overflow: sfdisk extra_flag too long"); + return -1; + } sprintf (buf + strlen (buf), " %s", extra_flag); + } - /* Safe because of RESOLVE_DEVICE above: */ + if (strlen (buf) + 1 + strlen (device) >= sizeof buf) { + reply_with_error ("internal buffer overflow: sfdisk device name too long"); + return -1; + } sprintf (buf + strlen (buf), " %s", device); if (verbose) |