sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()
authorGeert Uytterhoeven <geert@linux-m68k.org>
Sat, 29 Sep 2012 20:23:19 +0000 (22:23 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 31 Oct 2012 16:51:35 +0000 (09:51 -0700)
commit 66081a72517a131430dcf986775f3268aafcb546 upstream.

The warning check for duplicate sysfs entries can cause a buffer overflow
when printing the warning, as strcat() doesn't check buffer sizes.
Use strlcat() instead.

Since strlcat() doesn't return a pointer to the passed buffer, unlike
strcat(), I had to convert the nested concatenation in sysfs_add_one() to
an admittedly more obscure comma operator construct, to avoid emitting code
for the concatenation if CONFIG_BUG is disabled.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/sysfs/dir.c

index ea9120a830d824feb798db501a4b61fbd98f6071..567b3db700990f0b4e0906350e8ed8b8716cc826 100644 (file)
@@ -404,20 +404,18 @@ int __sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd)
 /**
  *     sysfs_pathname - return full path to sysfs dirent
  *     @sd: sysfs_dirent whose path we want
- *     @path: caller allocated buffer
+ *     @path: caller allocated buffer of size PATH_MAX
  *
  *     Gives the name "/" to the sysfs_root entry; any path returned
  *     is relative to wherever sysfs is mounted.
- *
- *     XXX: does no error checking on @path size
  */
 static char *sysfs_pathname(struct sysfs_dirent *sd, char *path)
 {
        if (sd->s_parent) {
                sysfs_pathname(sd->s_parent, path);
-               strcat(path, "/");
+               strlcat(path, "/", PATH_MAX);
        }
-       strcat(path, sd->s_name);
+       strlcat(path, sd->s_name, PATH_MAX);
        return path;
 }
 
@@ -450,9 +448,11 @@ int sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd)
                char *path = kzalloc(PATH_MAX, GFP_KERNEL);
                WARN(1, KERN_WARNING
                     "sysfs: cannot create duplicate filename '%s'\n",
-                    (path == NULL) ? sd->s_name :
-                    strcat(strcat(sysfs_pathname(acxt->parent_sd, path), "/"),
-                           sd->s_name));
+                    (path == NULL) ? sd->s_name
+                                   : (sysfs_pathname(acxt->parent_sd, path),
+                                      strlcat(path, "/", PATH_MAX),
+                                      strlcat(path, sd->s_name, PATH_MAX),
+                                      path));
                kfree(path);
        }