Add fix-strncat branch which corrects a buffer overrun.

diff --git a/.topdeps b/.topdeps
new file mode 100644 (file)
index 0000000..1f7391f
--- /dev/null
+++ b/.topdeps
@@ -0,0 +1 @@
+master

diff --git a/.topmsg b/.topmsg
new file mode 100644 (file)
index 0000000..1a1a566
--- /dev/null
+++ b/.topmsg
@@ -0,0 +1,8 @@
+From: Brian Behlendorf <behlendorf1@llnl.gov>
+Subject: [PATCH] fix strncat
+
+This look like a typo.  The intention was to use strlcat() however
+strncat() was used instead accidentally this may lead to a buffer
+overflow.  This was caught by gcc -D_FORTIFY_SOURCE=2.
+
+Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>

diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c
index 5a2e2aeb6d5350dedd4f518341398f779f984bb1..ab6977e9ec00ae0aef2616ec01971dc0a6539279 100644 (file)
--- a/lib/libzfs/libzfs_sendrecv.c
+++ b/lib/libzfs/libzfs_sendrecv.c
@@ -1642,7 +1642,7 @@ zfs_receive_one(libzfs_handle_t *hdl, int infd, const char *tosnap,
         * Determine name of destination snapshot, store in zc_value.
         */
        (void) strcpy(zc.zc_value, tosnap);
-       (void) strncat(zc.zc_value, drrb->drr_toname+choplen,
+       (void) strlcat(zc.zc_value, drrb->drr_toname+choplen,
            sizeof (zc.zc_value));
        if (!zfs_name_valid(zc.zc_value, ZFS_TYPE_SNAPSHOT)) {
                zcmd_free_nvlists(&zc);