[CRIU] [PATCH] files: link remap -- Fix potential buffer overrun

Wed Dec 25 23:51:26 PST 2013

If the former file had a path long enough to be near
PATH_MAX limit, sprintf'ing link_remap.%d here might
overrun the limit. Use snprintf instead.

Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
---
 files-reg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files-reg.c b/files-reg.c
index 65c182d0d112..542764a54adb 100644
--- a/files-reg.c
+++ b/files-reg.c
@@ -379,7 +379,7 @@ static int create_link_remap(char *path, int len, int lfd, u32 *idp)
 	rfe.name	= link_name + 1;
 
 	/* Any 'unique' name works here actually. Remap works by reg-file ids. */
-	sprintf(tmp + 1, "link_remap.%d", rfe.id);
+	snprintf(tmp + 1, sizeof(link_name) - (size_t)(tmp - link_name - 1), "link_remap.%d", rfe.id);
 
 	if (linkat(lfd, "", mntns_root, link_name, AT_EMPTY_PATH) < 0) {
 		pr_perror("Can't link remap to %s", path);
-- 
1.8.3.1

