Fix potential buffer overflow in zpool command

The ZPOOL_SCRIPTS_PATH environment variable can be passed here. This
allows for arbitrarily long strings to be passed to sprintf(), which can
overflow the buffer.

I missed this in my earlier audit of the codebase. CodeQL's
cpp/unbounded-write check caught this.

Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14264

diff --git a/cmd/zpool/zpool_main.c b/cmd/zpool/zpool_main.c
index 0b55bf21f448d7f73a9519b65bce7ab5e253b3ee..0872671f428fa363a7464fa9922a35ccfc747dda 100644 (file)
--- a/cmd/zpool/zpool_main.c
+++ b/cmd/zpool/zpool_main.c
@@ -5429,7 +5429,13 @@ print_zpool_dir_scripts(char *dirpath)
        if ((dir = opendir(dirpath)) != NULL) {
                /* print all the files and directories within directory */
                while ((ent = readdir(dir)) != NULL) {
-                       sprintf(fullpath, "%s/%s", dirpath, ent->d_name);
+                       if (snprintf(fullpath, sizeof (fullpath), "%s/%s",
+                           dirpath, ent->d_name) >= sizeof (fullpath)) {
+                               (void) fprintf(stderr,
+                                   gettext("internal error: "
+                                   "ZPOOL_SCRIPTS_PATH too large.\n"));
+                               exit(1);
+                       }
 
                        /* Print the scripts */
                        if (stat(fullpath, &dir_stat) == 0)