From cb1af1882a40096e97759d159e6a7e58719c729a Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Fri, 24 Sep 2021 17:51:47 -0700 Subject: [PATCH] blkid: more scanf fun. The unbounded %[] here made me look at the kernel, where the size of a block device name is limited to 32 bytes (including the NUL), so although the 1024 bytes of toybuf was plenty, that meant that the 32-byte buffer for "/dev/%s" was too small because the "%s" alone could require the entire buffer. Fix that, and simplify the code a bit by only using toybuf for the fgets(). I didn't switch to fscanf() because the file has two lines of headers, and calling fgets() twice to skip the header seemed more awkward than keeping the continue in the loop. --- toys/other/blkid.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/toys/other/blkid.c b/toys/other/blkid.c index e3badca7..01b5971b 100644 --- a/toys/other/blkid.c +++ b/toys/other/blkid.c @@ -197,12 +197,11 @@ void blkid_main(void) if (*toys.optargs && !FLAG(L) && !FLAG(U)) loopfiles(toys.optargs, do_blkid); else { unsigned int ma, mi, sz, fd; - char *name = toybuf, *buffer = toybuf+1024, device[32]; + char name[32], device[5+32]; FILE *fp = xfopen("/proc/partitions", "r"); - while (fgets(buffer, 1024, fp)) { - *name = 0; - if (sscanf(buffer, " %u %u %u %[^\n ]", &ma, &mi, &sz, name) != 4) + while (fgets(toybuf, sizeof(toybuf), fp)) { + if (sscanf(toybuf, " %u %u %u %31s", &ma, &mi, &sz, name) != 4) continue; sprintf(device, "/dev/%.20s", name); -- 2.39.2