mtd: clamp ubi name strings

Since the length fields with the ubi volnames are signed 16bit values,
make sure we clamp that number to the size of the buffer we've allocated
on the stack to prevent buffer overflows.

* mtd.c (ubi_ioctl): Clamp length to string_quote to 0/UBI_MAX_VOLUME_NAME.
Check the return of string_quote and tweak the output accordingly.

1 files changed, 9 insertions, 7 deletions

diff --git a/mtd.c b/mtd.c
index 9a16ad7..5385147 100644
--- a/mtd.c
+++ b/mtd.c
@@ -307,6 +307,7 @@ int ubi_ioctl(struct tcb *tcp, long code, long arg)
 	struct ubi_set_vol_prop_req prop;
 	/* 4*(n-1) + 3 for quotes and NUL */
 	char vol_name[(UBI_MAX_VOLUME_NAME + 1) * 4];
+	int ret;
 
 	if (entering(tcp))
 		return 0;
@@ -320,9 +321,10 @@ int ubi_ioctl(struct tcb *tcp, long code, long arg)
 			", bytes=%" PRIi64 ", vol_type=", mkvol.vol_id,
 			mkvol.alignment, (int64_t)mkvol.bytes);
 		printxval(ubi_volume_types, mkvol.vol_type, "UBI_???_VOLUME");
-		string_quote(mkvol.name, vol_name, -1, mkvol.name_len);
-		tprintf(", name_len=%" PRIi16 ", name=%s",
-			mkvol.name_len, vol_name);
+		ret = string_quote(mkvol.name, vol_name, -1,
+			CLAMP(mkvol.name_len, 0, UBI_MAX_VOLUME_NAME));
+		tprintf(", name_len=%" PRIi16 ", name=%s%s",
+			mkvol.name_len, vol_name, ret ? "..." : "");
 		tprints("}");
 		return 1;
 
@@ -344,11 +346,11 @@ int ubi_ioctl(struct tcb *tcp, long code, long arg)
 		for (c = 0; c < CLAMP(rnvol.count, 0, UBI_MAX_RNVOL); ++c) {
 			if (c)
 				tprints(", ");
-			string_quote(rnvol.ents[c].name, vol_name, -1,
-				rnvol.ents[c].name_len);
+			ret = string_quote(rnvol.ents[c].name, vol_name, -1,
+				CLAMP(rnvol.ents[c].name_len, 0, UBI_MAX_VOLUME_NAME));
 			tprintf("{vol_id=%" PRIi32 ", name_len=%" PRIi16
-				", name=%s}", rnvol.ents[c].vol_id,
-				rnvol.ents[c].name_len, vol_name);
+				", name=%s%s}", rnvol.ents[c].vol_id,
+				rnvol.ents[c].name_len, vol_name, ret ? "..." : "");
 		}
 		tprints("]}");
 		return 1;