From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: proc/devname.c: Use snprintf() in link_name().
X-Git-Tag: v3.3.15~105
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9f59bd5c52c8ff6f907c62afa7fdff3d3bf378a3;p=procps-ng

proc/devname.c: Use snprintf() in link_name().

Found no problematic use case at the moment, but better safe than sorry.
Also, return an error on snprintf() or readlink() truncation.
---

diff --git a/proc/devname.c b/proc/devname.c
index 9ba96d73..74290791 100644
--- a/proc/devname.c
+++ b/proc/devname.c
@@ -288,10 +288,11 @@ static int guess_name(char *restrict const buf, unsigned maj, unsigned min){
 static int link_name(char *restrict const buf, unsigned maj, unsigned min, int pid, const char *restrict name){
   struct stat sbuf;
   char path[32];
-  int count;
-  sprintf(path, "/proc/%d/%s", pid, name);  /* often permission denied */
+  ssize_t count;
+  const int len = snprintf(path, sizeof path, "/proc/%d/%s", pid, name);  /* often permission denied */
+  if(len <= 0 || (size_t)len >= sizeof path) return 0;
   count = readlink(path,buf,TTY_NAME_SIZE-1);
-  if(count == -1) return 0;
+  if(count <= 0 || count >= TTY_NAME_SIZE-1) return 0;
   buf[count] = '\0';
   if(stat(buf, &sbuf) < 0) return 0;
   if(min != MINOR_OF(sbuf.st_rdev)) return 0;