The ZPOOL_SCRIPTS_PATH environment variable can be passed here. This
allows for arbitrarily long strings to be passed to sprintf(), which can
overflow the buffer.
I missed this in my earlier audit of the codebase. CodeQL's
cpp/unbounded-write check caught this.
Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com>
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14264
if ((dir = opendir(dirpath)) != NULL) {
/* print all the files and directories within directory */
while ((ent = readdir(dir)) != NULL) {
- sprintf(fullpath, "%s/%s", dirpath, ent->d_name);
+ if (snprintf(fullpath, sizeof (fullpath), "%s/%s",
+ dirpath, ent->d_name) >= sizeof (fullpath)) {
+ (void) fprintf(stderr,
+ gettext("internal error: "
+ "ZPOOL_SCRIPTS_PATH too large.\n"));
+ exit(1);
+ }
/* Print the scripts */
if (stat(fullpath, &dir_stat) == 0)