projects / platform / upstream / btrfs-progs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 54e345b)
mkfs: avoid heap-buffer-read-underrun for zero-length "size" arg
authorJim Meyering <meyering@redhat.com>
Fri, 20 Apr 2012 19:27:26 +0000 (21:27 +0200)
committerHugo Mills <hugo@carfax.org.uk>
Tue, 5 Jun 2012 18:56:20 +0000 (19:56 +0100)
* mkfs.c (parse_size): ./mkfs.btrfs -A '' would read and possibly
write the byte before beginning of strdup'd heap buffer.  All other
size-accepting options were similarly affected.

Reviewed-by: Josef Bacik <josef@redhat.com>
cmds-subvolume.c patch | blob | history
mkfs.c patch | blob | history

diff --git a/cmds-subvolume.c b/cmds-subvolume.c
index fc749f1..a01c830 100644 (file)
--- a/cmds-subvolume.c
+++ b/cmds-subvolume.c
@@ -380,7 +380,7 @@ static int cmd_snapshot(int argc, char **argv)
 
        args.fd = fd;
        strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX);
-       args.name[BTRFS_PATH_NAME_MAX-1] = 0;
+       args.name[BTRFS_SUBVOL_NAME_MAX-1] = 0;
        res = ioctl(fddst, BTRFS_IOC_SNAP_CREATE_V2, &args);
        e = errno;
 
diff --git a/mkfs.c b/mkfs.c
index 03239fb..4aff2fd 100644 (file)
--- a/mkfs.c
+++ b/mkfs.c
@@ -63,7 +63,7 @@ static u64 parse_size(char *s)
 
        s = strdup(s);
 
-       if (!isdigit(s[len - 1])) {
+       if (len && !isdigit(s[len - 1])) {
                c = tolower(s[len - 1]);
                switch (c) {
                case 'g':
Domain: System / System Framework Device Management;