From: Jens Axboe <axboe@fb.com>
Date: Mon, 14 Apr 2014 14:34:43 +0000 (-0600)
Subject: init: fix potential buffer overrun in make_filename()
X-Git-Tag: fio-2.1.9~61
X-Git-Url: https://git.kernel.dk/?p=fio.git;a=commitdiff_plain;h=73a467e6899315b1f78cf8f16bb1b1ac6d21505e

init: fix potential buffer overrun in make_filename()

Signed-off-by: Jens Axboe <axboe@fb.com>
---

diff --git a/init.c b/init.c
index 6324dcee..7e456b20 100644
--- a/init.c
+++ b/init.c
@@ -942,6 +942,7 @@ static char *make_filename(char *buf, struct thread_options *o,
 {
 	struct fpre_keyword *f;
 	char copy[PATH_MAX];
+	size_t dst_left = PATH_MAX;
 
 	if (!o->filename_format || !strlen(o->filename_format)) {
 		sprintf(buf, "%s.%d.%d", jobname, jobnum, filenum);
@@ -969,25 +970,47 @@ static char *make_filename(char *buf, struct thread_options *o,
 			if (pre_len) {
 				strncpy(dst, buf, pre_len);
 				dst += pre_len;
+				dst_left -= pre_len;
 			}
 
 			switch (f->key) {
-			case FPRE_JOBNAME:
-				dst += sprintf(dst, "%s", jobname);
+			case FPRE_JOBNAME: {
+				int ret;
+
+				ret = snprintf(dst, dst_left, "%s", jobname);
+				if (ret < 0)
+					break;
+				dst += ret;
+				dst_left -= ret;
 				break;
-			case FPRE_JOBNUM:
-				dst += sprintf(dst, "%d", jobnum);
+				}
+			case FPRE_JOBNUM: {
+				int ret;
+
+				ret = snprintf(dst, dst_left, "%d", jobnum);
+				if (ret < 0)
+					break;
+				dst += ret;
+				dst_left -= ret;
 				break;
-			case FPRE_FILENUM:
-				dst += sprintf(dst, "%d", filenum);
+				}
+			case FPRE_FILENUM: {
+				int ret;
+
+				ret = snprintf(dst, dst_left, "%d", filenum);
+				if (ret < 0)
+					break;
+				dst += ret;
+				dst_left -= ret;
 				break;
+				}
 			default:
 				assert(0);
 				break;
 			}
 
 			if (post_start)
-				strcpy(dst, buf + post_start);
+				strncpy(dst, buf + post_start, dst_left);
 
 			strcpy(buf, copy);
 		} while (1);