verify: fix potential buffer overrun in dump_buf() Signed-off-by: Jens Axboe <axboe@fb.com>

commit: dacbbb8875c09e982d59e1c1a40879af81842a42 [log] [tgz]
author: Jens Axboe <axboe@fb.com> Mon Apr 14 08:43:55 2014 -0600
committer: Jens Axboe <axboe@fb.com> Mon Apr 14 08:43:55 2014 -0600
tree: 97cc5a70342b74d209269a5f5ff43ff73f2f66e0
parent: 73a467e6899315b1f78cf8f16bb1b1ac6d21505e [diff] [blame]
diff --git a/verify.c b/verify.c
index 9eb532a..282a8cf 100644
--- a/verify.c
+++ b/verify.c

@@ -226,16 +226,32 @@
 	unsigned int crc_len;
 };
 
+#define DUMP_BUF_SZ	255
+static int dump_buf_warned;
+
 static void dump_buf(char *buf, unsigned int len, unsigned long long offset,
 		     const char *type, struct fio_file *f)
 {
-	char *ptr, fname[256];
+	char *ptr, fname[DUMP_BUF_SZ];
+	size_t buf_left = DUMP_BUF_SZ;
 	int ret, fd;
 
 	ptr = strdup(f->file_name);
-	strcpy(fname, basename(ptr));
 
-	sprintf(fname + strlen(fname), ".%llu.%s", offset, type);
+	fname[DUMP_BUF_SZ - 1] = '\0';
+	strncpy(fname, basename(ptr), DUMP_BUF_SZ - 1);
+
+	buf_left -= strlen(fname);
+	if (buf_left <= 0) {
+		if (!dump_buf_warned) {
+			log_err("fio: verify failure dump buffer too small\n");
+			dump_buf_warned = 1;
+		}
+		free(ptr);
+		return;
+	}
+
+	snprintf(fname + strlen(fname), buf_left, ".%llu.%s", offset, type);
 
 	fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0644);
 	if (fd < 0) {
commit	dacbbb8875c09e982d59e1c1a40879af81842a42	[log] [tgz]
author	Jens Axboe <axboe@fb.com>	Mon Apr 14 08:43:55 2014 -0600
committer	Jens Axboe <axboe@fb.com>	Mon Apr 14 08:43:55 2014 -0600
tree	97cc5a70342b74d209269a5f5ff43ff73f2f66e0
parent	73a467e6899315b1f78cf8f16bb1b1ac6d21505e [diff] [blame]