Using the secure function snprintf
foolstrong opened this issue · comments
FoolStrong commented
In the source code, a large number of functions use sprintf to process strings, which may cause overflow risks. You are advised to use snprintf to ensure that strings no out of the bounds.
FoolStrong commented
for example
static void *add_dax_dev(void *parent, int id, const char *daxdev_base)
{
const char *devname = devpath_to_devname(daxdev_base);
char *path = calloc(1, strlen(daxdev_base) + 100);
struct daxctl_region *region = parent;
struct daxctl_ctx *ctx = region->ctx;
struct daxctl_dev *dev, *dev_dup;
char buf[SYSFS_ATTR_SIZE];
struct stat st;
if (!path)
return NULL;
dbg(ctx, "%s: base: \'%s\'\n", __func__, daxdev_base);
dev = calloc(1, sizeof(*dev));
if (!dev)
goto err_dev;
dev->id = id;
dev->region = region;
sprintf(path, "/dev/%s", devname);
if (stat(path, &st) < 0)
goto err_read;
dev->major = major(st.st_rdev);
dev->minor = minor(st.st_rdev);
sprintf(path, "%s/resource", daxdev_base);
if (sysfs_read_attr(ctx, path, buf) == 0)
dev->resource = strtoull(buf, NULL, 0);
else
dev->resource = iomem_get_dev_resource(ctx, daxdev_base);
sprintf(path, "%s/size", daxdev_base);
if (sysfs_read_attr(ctx, path, buf) < 0)
goto err_read;
dev->size = strtoull(buf, NULL, 0);
/* Device align attribute is only available in v5.10 or up */
sprintf(path, "%s/align", daxdev_base);
if (!sysfs_read_attr(ctx, path, buf))
dev->align = strtoull(buf, NULL, 0);
else
dev->align = 0;
dev->dev_path = strdup(daxdev_base);
if (!dev->dev_path)
goto err_read;
dev->dev_buf = calloc(1, strlen(daxdev_base) + 50);
if (!dev->dev_buf)
goto err_read;
dev->buf_len = strlen(daxdev_base) + 50;
sprintf(path, "%s/target_node", daxdev_base);
if (sysfs_read_attr(ctx, path, buf) == 0)
dev->target_node = strtol(buf, NULL, 0);
else
dev->target_node = -1;
daxctl_dev_foreach(region, dev_dup)
if (dev_dup->id == dev->id) {
free_dev(dev, NULL);
free(path);
return dev_dup;
}
dev->num_mappings = -1;
list_head_init(&dev->mappings);
list_add(®ion->devices, &dev->list);
free(path);
return dev;
err_read:
free(dev->dev_buf);
free(dev->dev_path);
free(dev);
err_dev:
free(path);
return NULL;
}
FoolStrong commented
ok