[dm-devel] [PATCH 05/72] libmultipath: format_devname: avoid buffer overflow

[Martin Wilck]

From: Martin Wilck <mwilck at suse.com>

If the buffer was too short, the current code could write
the terminating 0 byte after the actual buffer.

Also, assert sufficient buffer length, and positive id.

Signed-off-by: Martin Wilck <mwilck at suse.com>
---
 libmultipath/alias.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/libmultipath/alias.c b/libmultipath/alias.c
index 412ab5b4..0fb206d1 100644
--- a/libmultipath/alias.c
+++ b/libmultipath/alias.c
@@ -52,18 +52,24 @@ format_devname(char *name, int id, int len, const char *prefix)
 	int pos;
 	int prefix_len = strlen(prefix);
 
-	memset(name,0, len);
+	if (len <= prefix_len + 1 || id <= 0)
+		return -1;
+
+	memset(name, 0, len);
 	strcpy(name, prefix);
-	for (pos = len - 1; pos >= prefix_len; pos--) {
+	name[len - 1] = '\0';
+	for (pos = len - 2; pos >= prefix_len; pos--) {
 		id--;
 		name[pos] = 'a' + id % 26;
 		if (id < 26)
 			break;
 		id /= 26;
 	}
+	if (pos < prefix_len)
+		return -1;
+
 	memmove(name + prefix_len, name + pos, len - pos);
-	name[prefix_len + len - pos] = '\0';
-	return (prefix_len + len - pos);
+	return (prefix_len + len - pos - 1);
 }
 
 static int
@@ -213,6 +219,9 @@ allocate_binding(int fd, const char *wwid, int id, const char *prefix)
 	}
 
 	i = format_devname(buf, id, LINE_MAX, prefix);
+	if (i == -1)
+		return NULL;
+
 	c = buf + i;
 	snprintf(c, LINE_MAX - i, " %s\n", wwid);
 	buf[LINE_MAX - 1] = '\0';
-- 
2.23.0