libnpfs: catch overflow in np_deserialize_p9dirent

Problem: compilation of diodls.c fails due to a potential string overflow when building a test deb. In function ‘snprintf’, inlined from ‘np_deserialize_p9dirent’ at ../libnpfs/np.c:1712:3, inlined from ‘npc_readdir_r’ at ../libnpclient/readdir.c:115:8, inlined from ‘lsdir’ at diodls.c:240:14: /usr/include/x86_64-linux-gnu/bits/stdio2.h:71:10: error: ‘__builtin___snprintf_chk’ specified bound 4097 exceeds destination size 256 [-Werror=stringop-overflow=] 71 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^ lto1: all warnings being treated as errors Add an explicit check for the overflow and use memcpy() instead of snprintf("%.*s") here.
chaos · Jan 1, 2025 · 03fdd4f · 03fdd4f
1 parent a903876
commit 03fdd4f
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/src/libnpfs/np.c b/src/libnpfs/np.c
@@ -1704,14 +1704,11 @@ np_deserialize_p9dirent(Npqid *qid, u64 *offset, u8 *type,
 	*type = buf_get_int8(bufp);
 	buf_get_str(bufp, &s9);
 
-	if (s9.len > 0)
-		snprintf (name, namelen, "%.*s", s9.len, s9.str);
-	else
-		name[0] = '\0';
-
-
-	if (buf_check_overflow (bufp))
+	if (buf_check_overflow (bufp) || s9.len >= namelen)
 		return 0;
 
+	memcpy (name, s9.str, s9.len);
+	name[s9.len] = '\0';
+
 	return bufp->p - bufp->sp;
 }