From 9f59bd5c52c8ff6f907c62afa7fdff3d3bf378a3 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] proc/devname.c: Use snprintf() in link_name(). Found no problematic use case at the moment, but better safe than sorry. Also, return an error on snprintf() or readlink() truncation. --- proc/devname.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/proc/devname.c b/proc/devname.c index 9ba96d73..74290791 100644 --- a/proc/devname.c +++ b/proc/devname.c @@ -288,10 +288,11 @@ static int guess_name(char *restrict const buf, unsigned maj, unsigned min){ static int link_name(char *restrict const buf, unsigned maj, unsigned min, int pid, const char *restrict name){ struct stat sbuf; char path[32]; - int count; - sprintf(path, "/proc/%d/%s", pid, name); /* often permission denied */ + ssize_t count; + const int len = snprintf(path, sizeof path, "/proc/%d/%s", pid, name); /* often permission denied */ + if(len <= 0 || (size_t)len >= sizeof path) return 0; count = readlink(path,buf,TTY_NAME_SIZE-1); - if(count == -1) return 0; + if(count <= 0 || count >= TTY_NAME_SIZE-1) return 0; buf[count] = '\0'; if(stat(buf, &sbuf) < 0) return 0; if(min != MINOR_OF(sbuf.st_rdev)) return 0;