btrfs-progs: prevent incorrect use of subvol_strip_mountpoint

Add additional bound checks to prevent memory corruption on incorrect usage of subvol_strip_mountpoint. Assert sane return value by properly comparing the mount point to the full_path before stripping it off. Mitigates issue: "btrfs send -p" fails if source and parent subvolumes are on different mountpoints (memory corruption): https://github.com/kdave/btrfs-progs/issues/96 Note that this does not properly fix this bug, but prevents a possible security issue by unexpected usage of "btrfs send -p". Issue: #96 Pull-request: #98 Signed-off-by: Axel Burri <axel@tty0.ch> Signed-off-by: David Sterba <dsterba@suse.com>
author: Axel Burri <axel@tty0.ch> 2018-02-17 16:05:34 +0100
committer: David Sterba <dsterba@suse.com> 2018-02-19 19:07:02 +0100
commit: c5dc299aff6b4ee3e3490a046fcf9bf8d1c41af5 (patch)
tree: 1a012fe003ac1f25efd792aea6e50048318b2a11
parent: d62bd380797d3a990b2229ea6c16956972f7dfe0 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/utils.c b/utils.c
index e9cb3a82..f867e5a7 100644
--- a/utils.c
+++ b/utils.c
@@ -2484,6 +2484,11 @@ const char *subvol_strip_mountpoint(const char *mnt, const char *full_path)
 	if (!len)
 		return full_path;
 
+	if ((strncmp(mnt, full_path, len) != 0) || (full_path[len] != '/')) {
+		error("not on mount point: %s", mnt);
+		exit(1);
+	}
+
 	if (mnt[len - 1] != '/')
 		len += 1;
author	Axel Burri <axel@tty0.ch>	2018-02-17 16:05:34 +0100
committer	David Sterba <dsterba@suse.com>	2018-02-19 19:07:02 +0100
commit	c5dc299aff6b4ee3e3490a046fcf9bf8d1c41af5 (patch)
tree	1a012fe003ac1f25efd792aea6e50048318b2a11
parent	d62bd380797d3a990b2229ea6c16956972f7dfe0 (diff)