mirror of
				https://git.proxmox.com/git/mirror_zfs.git
				synced 2025-10-26 09:54:59 +03:00 
			
		
		
		
	zdb: Handle theoretical buffer overflow when printing float
CodeQL pointed out that for extreme floating point values, `sprintf()` will overwrite a 32 character buffer. It cited 1e304 as an example, which causes `sprintf()` to print 308 characters. In practice, the numbers should never exceed 100, so this should not happen. To silence the warning and also handle unexpected situations, we change the code to use `snprintf()`. This was missed during my audit of our use of `sprintf()`, since I did not think to consider extreme floating point representations. It also really should not happen, so this change is purely defensive programming. This was found by CodeQL's cpp/overrunning-write-with-float check. Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com> Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #14264
This commit is contained in:
		
							parent
							
								
									d30db519af
								
							
						
					
					
						commit
						f954ea26a6
					
				| @ -3496,9 +3496,9 @@ dump_object(objset_t *os, uint64_t object, int verbosity, | |||||||
| 	zdb_nicenum(doi.doi_physical_blocks_512 << 9, asize, sizeof (asize)); | 	zdb_nicenum(doi.doi_physical_blocks_512 << 9, asize, sizeof (asize)); | ||||||
| 	zdb_nicenum(doi.doi_bonus_size, bonus_size, sizeof (bonus_size)); | 	zdb_nicenum(doi.doi_bonus_size, bonus_size, sizeof (bonus_size)); | ||||||
| 	zdb_nicenum(doi.doi_dnodesize, dnsize, sizeof (dnsize)); | 	zdb_nicenum(doi.doi_dnodesize, dnsize, sizeof (dnsize)); | ||||||
| 	(void) sprintf(fill, "%6.2f", 100.0 * doi.doi_fill_count * | 	(void) snprintf(fill, sizeof (fill), "%6.2f", 100.0 * | ||||||
| 	    doi.doi_data_block_size / (object == 0 ? DNODES_PER_BLOCK : 1) / | 	    doi.doi_fill_count * doi.doi_data_block_size / (object == 0 ? | ||||||
| 	    doi.doi_max_offset); | 	    DNODES_PER_BLOCK : 1) / doi.doi_max_offset); | ||||||
| 
 | 
 | ||||||
| 	aux[0] = '\0'; | 	aux[0] = '\0'; | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Richard Yao
						Richard Yao