[Yaffs] patch: mkyaffsimage - buffer overflow fix
Frank Rowand
frowand@mvista.com
Mon, 22 Nov 2004 16:07:46 -0800
This is a multi-part message in MIME format.
--------------000007010902080807060509
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
The attached patch prevents a buffer overflow which occurs when a
path becomes too long.
(And with this patch, I'll end my tiny flood of the email list...)
-Frank
--
Frank Rowand <frank_rowand@mvista.com>
MontaVista Software, Inc
--------------000007010902080807060509
Content-Type: text/plain;
name="yaffs_userland_08_mkyaffsimage_buf_overflow.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="yaffs_userland_08_mkyaffsimage_buf_overflow.patch"
Index: yaffs/utils/mkyaffsimage.c
===================================================================
--- yaffs.orig/utils/mkyaffsimage.c
+++ yaffs/utils/mkyaffsimage.c
@@ -385,7 +385,9 @@
static int process_directory(int parent, const char *path)
{
+#define FULL_NAME_LEN 500
int error = 0;
+ int len;
DIR *dir;
struct dirent *entry;
@@ -402,12 +404,20 @@
if(strcmp(entry->d_name,".") &&
strcmp(entry->d_name,".."))
{
- char full_name[500];
+ char full_name[FULL_NAME_LEN];
struct stat stats;
int equivalentObj;
int newObj;
- sprintf(full_name,"%s/%s",path,entry->d_name);
+ len = snprintf(full_name,FULL_NAME_LEN,"%s/%s",path,entry->d_name);
+ if (len > FULL_NAME_LEN)
+ {
+ printf("%s/%s\n",path,entry->d_name);
+ printf("ERROR: length of path >= %d\n", FULL_NAME_LEN);
+ error = -1;
+ errno = ENAMETOOLONG;
+ continue;
+ }
lstat(full_name,&stats);
--------------000007010902080807060509--