[Yaffs] patch: mkyaffsimage - buffer overflow fix

Frank Rowand frowand@mvista.com
Mon, 22 Nov 2004 16:07:46 -0800


This is a multi-part message in MIME format.
--------------000007010902080807060509
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

The attached patch prevents a buffer overflow which occurs when a
path becomes too long.

(And with this patch, I'll end my tiny flood of the email list...)

-Frank
-- 
Frank Rowand <frank_rowand@mvista.com>
MontaVista Software, Inc

--------------000007010902080807060509
Content-Type: text/plain;
 name="yaffs_userland_08_mkyaffsimage_buf_overflow.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="yaffs_userland_08_mkyaffsimage_buf_overflow.patch"

Index: yaffs/utils/mkyaffsimage.c
===================================================================
--- yaffs.orig/utils/mkyaffsimage.c
+++ yaffs/utils/mkyaffsimage.c
@@ -385,7 +385,9 @@
 
 static int process_directory(int parent, const char *path)
 {
+#define FULL_NAME_LEN 500
 	int error = 0;
+	int len;
 	DIR *dir;
 	struct dirent *entry;
 
@@ -402,12 +404,20 @@
 			if(strcmp(entry->d_name,".") &&
 			   strcmp(entry->d_name,".."))
  			{
- 				char full_name[500];
+ 				char full_name[FULL_NAME_LEN];
 				struct stat stats;
 				int equivalentObj;
 				int newObj;
 				
-				sprintf(full_name,"%s/%s",path,entry->d_name);
+				len = snprintf(full_name,FULL_NAME_LEN,"%s/%s",path,entry->d_name);
+				if (len > FULL_NAME_LEN)
+				{
+					printf("%s/%s\n",path,entry->d_name);
+					printf("ERROR: length of path >= %d\n", FULL_NAME_LEN);
+					error = -1;
+					errno = ENAMETOOLONG;
+					continue;
+				}
 				
 				lstat(full_name,&stats);
 				

--------------000007010902080807060509--