You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by ac...@apache.org on 2020/01/08 10:27:32 UTC
[incubator-nuttx] 07/08: fs: smartfs: Fix buffer overrun
This is an automated email from the ASF dual-hosted git repository.
acassis pushed a commit to branch pr54
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit 88af07173ff5de2d3e9fa330b2eb1d9fd4b4d292
Author: Alin Jerpelea <al...@sony.com>
AuthorDate: Tue Dec 12 15:32:51 2017 +0900
fs: smartfs: Fix buffer overrun
---
fs/smartfs/smartfs_utils.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/smartfs/smartfs_utils.c b/fs/smartfs/smartfs_utils.c
index 971cf15..fcb3118 100644
--- a/fs/smartfs/smartfs_utils.c
+++ b/fs/smartfs/smartfs_utils.c
@@ -57,6 +57,12 @@
#include "smartfs.h"
/****************************************************************************
+ * Pre-processor Definitions
+ ****************************************************************************/
+
+#define WORKBUFFER_SIZE 256
+
+/****************************************************************************
* Private Data
****************************************************************************/
@@ -269,7 +275,7 @@ int smartfs_mount(struct smartfs_mountpt_s *fs, bool writeable)
if (nextfs == NULL)
{
fs->fs_rwbuffer = (char *) kmm_malloc(fs->fs_llformat.availbytes);
- fs->fs_workbuffer = (char *) kmm_malloc(256);
+ fs->fs_workbuffer = (char *) kmm_malloc(WORKBUFFER_SIZE);
}
/* Now add ourselves to the linked list of SMART mounts */
@@ -293,7 +299,7 @@ int smartfs_mount(struct smartfs_mountpt_s *fs, bool writeable)
#endif
fs->fs_rwbuffer = (char *) kmm_malloc(fs->fs_llformat.availbytes);
- fs->fs_workbuffer = (char *) kmm_malloc(256);
+ fs->fs_workbuffer = (char *) kmm_malloc(WORKBUFFER_SIZE);
fs->fs_rootsector = SMARTFS_ROOT_DIR_SECTOR;
#endif /* CONFIG_SMARTFS_MULTI_ROOT_DIRS */
@@ -528,6 +534,14 @@ int smartfs_finddirentry(struct smartfs_mountpt_s *fs,
ptr++;
}
+ /* Check to avoid buffer overflow */
+
+ if (seglen >= WORKBUFFER_SIZE)
+ {
+ ret = -ENAMETOOLONG;
+ goto errout;
+ }
+
strncpy(fs->fs_workbuffer, segment, seglen);
fs->fs_workbuffer[seglen] = '\0';