diff options
author | Jim Meyering <meyering@redhat.com> | 2012-04-20 21:27:26 +0200 |
---|---|---|
committer | Hugo Mills <hugo@carfax.org.uk> | 2012-06-05 19:56:20 +0100 |
commit | 8ad8e789fc03423a9f1d33051b592419399184bb (patch) | |
tree | dc577d4651138bca17253e6982472505c6d2a2c9 | |
parent | 54e345b5c2339dee170595f686dbd26937620262 (diff) |
mkfs: avoid heap-buffer-read-underrun for zero-length "size" arg
* mkfs.c (parse_size): ./mkfs.btrfs -A '' would read and possibly
write the byte before beginning of strdup'd heap buffer. All other
size-accepting options were similarly affected.
Reviewed-by: Josef Bacik <josef@redhat.com>
-rw-r--r-- | cmds-subvolume.c | 2 | ||||
-rw-r--r-- | mkfs.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/cmds-subvolume.c b/cmds-subvolume.c index fc749f12..a01c830d 100644 --- a/cmds-subvolume.c +++ b/cmds-subvolume.c @@ -380,7 +380,7 @@ static int cmd_snapshot(int argc, char **argv) args.fd = fd; strncpy(args.name, newname, BTRFS_SUBVOL_NAME_MAX); - args.name[BTRFS_PATH_NAME_MAX-1] = 0; + args.name[BTRFS_SUBVOL_NAME_MAX-1] = 0; res = ioctl(fddst, BTRFS_IOC_SNAP_CREATE_V2, &args); e = errno; @@ -63,7 +63,7 @@ static u64 parse_size(char *s) s = strdup(s); - if (!isdigit(s[len - 1])) { + if (len && !isdigit(s[len - 1])) { c = tolower(s[len - 1]); switch (c) { case 'g': |