files: link remap -- Fix potential buffer overrun

If the former file had a path long enough to be near PATH_MAX limit, sprintf'ing link_remap.%d here might overrun the limit. Use snprintf instead. Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

files: link remap -- Fix potential buffer overrun
If the former file had a path long enough to be near PATH_MAX limit, sprintf'ing link_remap.%d here might overrun the limit. Use snprintf instead. Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
c1fd8656 · Cyrill Gorcunov · Pavel Emelyanov · 1c2b1633 · c1fd8656
Commit c1fd8656 authored Dec 26, 2013 by Cyrill Gorcunov Committed by Pavel Emelyanov Dec 26, 2013
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

files-reg.c files-reg.c +1 -1

No files found.
--- a/files-reg.c
+++ b/files-reg.c
@@ -379,7 +379,7 @@ static int create_link_remap(char *path, int len, int lfd, u32 *idp)
 	rfe.name	= link_name + 1;

 	/* Any 'unique' name works here actually. Remap works by reg-file ids. */
-	sprintf(tmp + 1, "link_remap.%d", rfe.id);
+	snprintf(tmp + 1, sizeof(link_name) - (size_t)(tmp - link_name - 1), "link_remap.%d", rfe.id);

 	if (linkat(lfd, "", mntns_root, link_name, AT_EMPTY_PATH) < 0) {
 		pr_perror("Can't link remap to %s", path);