mtd: clamp ubi name strings

Since the length fields with the ubi volnames are signed 16bit values,
make sure we clamp that number to the size of the buffer we've allocated
on the stack to prevent buffer overflows.

* mtd.c (ubi_ioctl): Clamp length to string_quote to 0/UBI_MAX_VOLUME_NAME.
Check the return of string_quote and tweak the output accordingly.

diff --git a/mtd.c b/mtd.c
index 9a16ad736061a144cb50d6453ed8ca92e733f1fa..5385147ff461a7b34922dbeae612b270e3efc7e8 100644 (file)
--- a/mtd.c
+++ b/mtd.c
@@ -307,6 +307,7 @@ int ubi_ioctl(struct tcb *tcp, long code, long arg)
        struct ubi_set_vol_prop_req prop;
        /* 4*(n-1) + 3 for quotes and NUL */
        char vol_name[(UBI_MAX_VOLUME_NAME + 1) * 4];
+       int ret;
 
        if (entering(tcp))
                return 0;
@@ -320,9 +321,10 @@ int ubi_ioctl(struct tcb *tcp, long code, long arg)
                        ", bytes=%" PRIi64 ", vol_type=", mkvol.vol_id,
                        mkvol.alignment, (int64_t)mkvol.bytes);
                printxval(ubi_volume_types, mkvol.vol_type, "UBI_???_VOLUME");
-               string_quote(mkvol.name, vol_name, -1, mkvol.name_len);
-               tprintf(", name_len=%" PRIi16 ", name=%s",
-                       mkvol.name_len, vol_name);
+               ret = string_quote(mkvol.name, vol_name, -1,
+                       CLAMP(mkvol.name_len, 0, UBI_MAX_VOLUME_NAME));
+               tprintf(", name_len=%" PRIi16 ", name=%s%s",
+                       mkvol.name_len, vol_name, ret ? "..." : "");
                tprints("}");
                return 1;
 
@@ -344,11 +346,11 @@ int ubi_ioctl(struct tcb *tcp, long code, long arg)
                for (c = 0; c < CLAMP(rnvol.count, 0, UBI_MAX_RNVOL); ++c) {
                        if (c)
                                tprints(", ");
-                       string_quote(rnvol.ents[c].name, vol_name, -1,
-                               rnvol.ents[c].name_len);
+                       ret = string_quote(rnvol.ents[c].name, vol_name, -1,
+                               CLAMP(rnvol.ents[c].name_len, 0, UBI_MAX_VOLUME_NAME));
                        tprintf("{vol_id=%" PRIi32 ", name_len=%" PRIi16
-                               ", name=%s}", rnvol.ents[c].vol_id,
-                               rnvol.ents[c].name_len, vol_name);
+                               ", name=%s%s}", rnvol.ents[c].vol_id,
+                               rnvol.ents[c].name_len, vol_name, ret ? "..." : "");
                }
                tprints("]}");
                return 1;