You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In super-io.c, strlen() is used to determine whether a label is present. However, sb->label is not required to be null-terminated. If it is less than the maximum length, it will be null-terminated. But if it is the maximum length, then it will not be null-terminated, thus causing strlen() to keep reading until it encounters a null character, which will be reading into the other fields of the data structure and perhaps even read outside of the data structure?
I tried it on a filesystem with a 32-length label, and strlen() read 34 bytes and returned 33.
Would if (sb->label[0]) be safer? If the label is present, the first char will be non-zero. And if the label is not present, the first char will be null.
The text was updated successfully, but these errors were encountered:
bcachefs-tools/libbcachefs/super-io.c
Line 1319 in 61f8dc2
In
super-io.c, strlen() is used to determine whether a label is present. However, sb->label is not required to be null-terminated. If it is less than the maximum length, it will be null-terminated. But if it is the maximum length, then it will not be null-terminated, thus causing strlen() to keep reading until it encounters a null character, which will be reading into the other fields of the data structure and perhaps even read outside of the data structure?I tried it on a filesystem with a 32-length label, and strlen() read 34 bytes and returned 33.
Would
if (sb->label[0])be safer? If the label is present, the first char will be non-zero. And if the label is not present, the first char will be null.The text was updated successfully, but these errors were encountered: