cov: use sscanf buffer size limits

String parsing with buffer size limit.
2024-12-21 13:34:40 +03:00 · 2024-05-04 21:14:41 +02:00 · 2024-05-04 21:14:41 +02:00 · 04b407674c
commit 04b407674c
parent 61a11f25a3
5 changed files with 11 additions and 5 deletions
--- a/device_mapper/libdm-common.c
+++ b/device_mapper/libdm-common.c
@ -537,7 +537,8 @@ int unmangle_string(const char *str, const char *str_name, size_t len,
 		}

 		if (str[i] == '\\' && str[i+1] == 'x') {
-			if (!sscanf(&str[i+2], "%2x%s", &code, str_rest)) {
+			if (!sscanf(&str[i+2], "%2x%" DM_TO_STRING(DM_NAME_LEN) "s",
+				    &code, str_rest)) {
 				log_debug_activation("Hex encoding mismatch detected in %s \"%s\" "
 						     "while trying to unmangle it.", str_name, str);
 				goto out;
--- a/lib/device/dev-cache.c
+++ b/lib/device/dev-cache.c
@ -2278,7 +2278,8 @@ try_partition:
 		return NULL;

 	while (fgets(line, sizeof(line), fp)) {
-		if (sscanf(line, "%u %u %llu %s", &line_major, &line_minor, (unsigned long long *)&line_blocks, namebuf) != 4)
+		if (sscanf(line, "%u %u %llu %" DM_TO_STRING(NAME_LEN) "s",
+			   &line_major, &line_minor, (unsigned long long *)&line_blocks, namebuf) != 4)
 			continue;
 		if (line_major != major)
 			continue;
--- a/lib/device/filesystem.c
+++ b/lib/device/filesystem.c
@ -320,7 +320,10 @@ int fs_mount_state_is_misnamed(struct cmd_context *cmd, struct logical_volume *l
 	while (fgets(proc_line, sizeof(proc_line), fp)) {
 		if (proc_line[0] != '/')
 			continue;
-		if (sscanf(proc_line, "%s %s %s", proc_devpath, proc_mntpath, proc_fstype) != 3)
+		if (sscanf(proc_line, "%"
+			   DM_TO_STRING(PATH_MAX) "s %"
+			   DM_TO_STRING(PATH_MAX) "s %"
+			   DM_TO_STRING(PATH_MAX) "s", proc_devpath, proc_mntpath, proc_fstype) != 3)
 			continue;
 		if (strcmp(fstype, proc_fstype))
 			continue;
--- a/libdm/dm-tools/dmsetup.c
+++ b/libdm/dm-tools/dmsetup.c
@ -347,7 +347,7 @@ static int _parse_line(struct dm_task *dmt, char *buffer, const char *file,
 	if (!*ptr || *ptr == '#')
 		return 1;

-	if (sscanf(ptr, "%llu %llu %s %n",
+	if (sscanf(ptr, "%llu %llu %" DM_TO_STRING(LINE_SIZE) "s %n",
 		   &start, &size, ttype, &n) < 3) {
 		log_error("Invalid format on line %d of table %s.", line, file);
 		return 0;
--- a/libdm/libdm-common.c
+++ b/libdm/libdm-common.c
@ -535,7 +535,8 @@ int unmangle_string(const char *str, const char *str_name, size_t len,
 		}

 		if (str[i] == '\\' && str[i+1] == 'x') {
-			if (!sscanf(&str[i+2], "%2x%s", &code, str_rest)) {
+			if (!sscanf(&str[i+2], "%2x%" DM_TO_STRING(DM_NAME_LEN) "s",
+				    &code, str_rest)) {
 				log_debug_activation("Hex encoding mismatch detected in %s \"%s\" "
 						     "while trying to unmangle it.", str_name, str);
 				goto out;