You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by ac...@apache.org on 2020/01/08 10:27:32 UTC

[incubator-nuttx] 07/08: fs: smartfs: Fix buffer overrun

This is an automated email from the ASF dual-hosted git repository.

acassis pushed a commit to branch pr54
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git

commit 88af07173ff5de2d3e9fa330b2eb1d9fd4b4d292
Author: Alin Jerpelea <al...@sony.com>
AuthorDate: Tue Dec 12 15:32:51 2017 +0900

    fs: smartfs: Fix buffer overrun
---
 fs/smartfs/smartfs_utils.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/fs/smartfs/smartfs_utils.c b/fs/smartfs/smartfs_utils.c
index 971cf15..fcb3118 100644
--- a/fs/smartfs/smartfs_utils.c
+++ b/fs/smartfs/smartfs_utils.c
@@ -57,6 +57,12 @@
 #include "smartfs.h"
 
 /****************************************************************************
+ * Pre-processor Definitions
+ ****************************************************************************/
+
+#define WORKBUFFER_SIZE 256
+
+/****************************************************************************
  * Private Data
  ****************************************************************************/
 
@@ -269,7 +275,7 @@ int smartfs_mount(struct smartfs_mountpt_s *fs, bool writeable)
   if (nextfs == NULL)
     {
       fs->fs_rwbuffer = (char *) kmm_malloc(fs->fs_llformat.availbytes);
-      fs->fs_workbuffer = (char *) kmm_malloc(256);
+      fs->fs_workbuffer = (char *) kmm_malloc(WORKBUFFER_SIZE);
     }
 
   /* Now add ourselves to the linked list of SMART mounts */
@@ -293,7 +299,7 @@ int smartfs_mount(struct smartfs_mountpt_s *fs, bool writeable)
 #endif
 
   fs->fs_rwbuffer = (char *) kmm_malloc(fs->fs_llformat.availbytes);
-  fs->fs_workbuffer = (char *) kmm_malloc(256);
+  fs->fs_workbuffer = (char *) kmm_malloc(WORKBUFFER_SIZE);
   fs->fs_rootsector = SMARTFS_ROOT_DIR_SECTOR;
 
 #endif /* CONFIG_SMARTFS_MULTI_ROOT_DIRS */
@@ -528,6 +534,14 @@ int smartfs_finddirentry(struct smartfs_mountpt_s *fs,
           ptr++;
         }
 
+      /* Check to avoid buffer overflow */
+
+      if (seglen >= WORKBUFFER_SIZE)
+        {
+          ret = -ENAMETOOLONG;
+          goto errout;
+        }
+
       strncpy(fs->fs_workbuffer, segment, seglen);
       fs->fs_workbuffer[seglen] = '\0';