[PATCH 1/1] fs: fat_write: fix short name creation.
Truncate file names if the buffer size is exceeded to avoid a buffer overflow.
Use Sphinx style function description.
Add a TODO comment.
Reported-by: CID 303779 Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- fs/fat/fat_write.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/fs/fat/fat_write.c b/fs/fat/fat_write.c index 59cc0bae94..b16a39d3ff 100644 --- a/fs/fat/fat_write.c +++ b/fs/fat/fat_write.c @@ -50,8 +50,11 @@ static int disk_write(__u32 block, __u32 nr_blocks, void *buf) return ret; }
-/* - * Set short name in directory entry +/** + * set_name() - set short name in directory entry + * + * @dirent: directory entry + * @filename: long file name */ static void set_name(dir_entry *dirent, const char *filename) { @@ -66,7 +69,8 @@ static void set_name(dir_entry *dirent, const char *filename) if (len == 0) return;
- strcpy(s_name, filename); + strncpy(s_name, filename, VFAT_MAXLEN_BYTES - 1); + s_name[VFAT_MAXLEN_BYTES - 1] = '\0'; uppercase(s_name, len);
period = strchr(s_name, '.'); @@ -87,6 +91,11 @@ static void set_name(dir_entry *dirent, const char *filename) memcpy(dirent->name, s_name, period_location); } else { memcpy(dirent->name, s_name, 6); + /* + * TODO: Translating two long names with the same first six + * characters to the same short name is utterly wrong. + * Short names must be unique. + */ dirent->name[6] = '~'; dirent->name[7] = '1'; } -- 2.26.2
Hi Heinrich,
On Tue, 26 May 2020 at 13:12, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
Truncate file names if the buffer size is exceeded to avoid a buffer overflow.
Use Sphinx style function description.
Add a TODO comment.
Reported-by: CID 303779 Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
fs/fat/fat_write.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
See below
diff --git a/fs/fat/fat_write.c b/fs/fat/fat_write.c index 59cc0bae94..b16a39d3ff 100644 --- a/fs/fat/fat_write.c +++ b/fs/fat/fat_write.c @@ -50,8 +50,11 @@ static int disk_write(__u32 block, __u32 nr_blocks, void *buf) return ret; }
-/*
- Set short name in directory entry
+/**
- set_name() - set short name in directory entry
- @dirent: directory entry
*/
- @filename: long file name
static void set_name(dir_entry *dirent, const char *filename) { @@ -66,7 +69,8 @@ static void set_name(dir_entry *dirent, const char *filename) if (len == 0) return;
strcpy(s_name, filename);
strncpy(s_name, filename, VFAT_MAXLEN_BYTES - 1);s_name[VFAT_MAXLEN_BYTES - 1] = '\0';
Could use strlcpy() here
uppercase(s_name, len); period = strchr(s_name, '.');@@ -87,6 +91,11 @@ static void set_name(dir_entry *dirent, const char *filename) memcpy(dirent->name, s_name, period_location); } else { memcpy(dirent->name, s_name, 6);
/** TODO: Translating two long names with the same first six* characters to the same short name is utterly wrong.* Short names must be unique.*/ dirent->name[6] = '~'; dirent->name[7] = '1'; }-- 2.26.2
Regards, Simon
On Tue, May 26, 2020 at 09:06:50PM +0200, Heinrich Schuchardt wrote:
Truncate file names if the buffer size is exceeded to avoid a buffer overflow.
Use Sphinx style function description.
Add a TODO comment.
Reported-by: CID 303779 Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de Reviewed-by: Simon Glass sjg@chromium.org
Applied to u-boot/master, thanks!
participants (3)
-
Heinrich Schuchardt -
Simon Glass -
Tom Rini