btrfs-progs: fix overflows of ioctl name args

3 places where we copy pathnames into ioctl arguments
were not limited to the destination name size, and
could overflow.  Use the new strncpy_null() macro
to make this safe.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>

diff --git a/btrfs-vol.c b/btrfs-vol.c
index ad824bd..3cc1c32 100644 (file)
--- a/btrfs-vol.c
+++ b/btrfs-vol.c
@@ -159,7 +159,7 @@ int main(int ac, char **av)
        }
        fd = dirfd(dirstream);
        if (device)
-               strcpy(args.name, device);
+               strncpy_null(args.name, device);
        else
                args.name[0] = '\0';
 

diff --git a/cmds-receive.c b/cmds-receive.c
index e629174..6688d0c 100644 (file)
--- a/cmds-receive.c
+++ b/cmds-receive.c
@@ -43,6 +43,7 @@
 #include "ctree.h"
 #include "ioctl.h"
 #include "commands.h"
+#include "utils.h"
 #include "list.h"
 
 #include "send.h"
@@ -165,7 +166,7 @@ static int process_subvol(const char *path, const u8 *uuid, u64 ctransid,
        }
 
        memset(&args_v1, 0, sizeof(args_v1));
-       strcpy(args_v1.name, path);
+       strncpy_null(args_v1.name, path);
        ret = ioctl(r->mnt_fd, BTRFS_IOC_SUBVOL_CREATE, &args_v1);
        if (ret < 0) {
                ret = -errno;
@@ -213,7 +214,7 @@ static int process_snapshot(const char *path, const u8 *uuid, u64 ctransid,
        }
 
        memset(&args_v2, 0, sizeof(args_v2));
-       strcpy(args_v2.name, path);
+       strncpy_null(args_v2.name, path);
 
        r->parent_subvol = subvol_uuid_search(&r->sus, 0, parent_uuid,
                        parent_ctransid, NULL, subvol_search_by_received_uuid);