[PATCH] Btrfs: avoid buffer overrun in btrfs_printk
From: Jim Meyering
Date: Thu Apr 26 2012 - 12:35:19 EST
The buffer read-overrun would be triggered by a printk format
starting with <N>, where N is a single digit. NUL-terminate
after strncpy. Use memcpy, not strncpy, since we know the
string we're copying fits in the destination buffer and
contains no NUL byte.
Signed-off-by: Jim Meyering <meyering@xxxxxxxxxx>
---
fs/btrfs/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 5ddf172..626f574 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -180,23 +180,24 @@ const char *logtypes[] = {
void btrfs_printk(struct btrfs_fs_info *fs_info, const char *fmt, ...)
{
struct super_block *sb = fs_info->sb;
char lvl[4];
struct va_format vaf;
va_list args;
const char *type = logtypes[4];
va_start(args, fmt);
if (fmt[0] == '<' && isdigit(fmt[1]) && fmt[2] == '>') {
- strncpy(lvl, fmt, 3);
+ memcpy(lvl, fmt, 3);
+ lvl[3] = '\0';
fmt += 3;
type = logtypes[fmt[1] - '0'];
} else
*lvl = '\0';
vaf.fmt = fmt;
vaf.va = &args;
printk("%sBTRFS %s (device %s): %pV", lvl, type, sb->s_id, &vaf);
}
/*
--
1.7.10.336.gc5e31
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/