diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2010-03-01 10:49:03 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2010-03-01 10:49:03 +0200 |
commit | 9bc39283e4cc6ab9e5913ccbf766998eab4ff093 (patch) | |
tree | 93cefadd9fbc48dd47d3018bc188cadeab114b9a /lib | |
parent | 23f513275379f6305acf65437a96db4bdcd67571 (diff) | |
download | paxutils-9bc39283e4cc6ab9e5913ccbf766998eab4ff093.tar.gz |
Bugfixes in rtapelib
* lib/rmt.h (rmtcreat): Use fcntl O_ macros insead of
their hardcoded values.
* lib/rtapelib.c (rmt_read__,rmt_ioctl__): Prevent
potential overflow.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/rmt.h | 2 | ||||
-rw-r--r-- | lib/rtapelib.c | 9 |
2 files changed, 9 insertions, 2 deletions
@@ -61,7 +61,7 @@ extern bool force_local_option; #define rmtcreat(dev_name, mode, command) \ (_remdev (dev_name) \ - ? rmt_open__ (dev_name, 1 | O_CREAT, __REM_BIAS, command) \ + ? rmt_open__ (dev_name, O_CREAT | O_WRONLY, __REM_BIAS, command) \ : creat (dev_name, mode)) #define rmtlstat(dev_name, muffer) \ diff --git a/lib/rtapelib.c b/lib/rtapelib.c index 02ad1e7..cb645db 100644 --- a/lib/rtapelib.c +++ b/lib/rtapelib.c @@ -573,7 +573,8 @@ rmt_read__ (int handle, char *buffer, size_t length) sprintf (command_buffer, "R%lu\n", (unsigned long) length); if (do_command (handle, command_buffer) == -1 - || (status = get_status (handle)) == SAFE_READ_ERROR) + || (status = get_status (handle)) == SAFE_READ_ERROR + || status > length) return SAFE_READ_ERROR; for (counter = 0; counter < status; counter += rlen, buffer += rlen) @@ -709,6 +710,12 @@ rmt_ioctl__ (int handle, int operation, char *argument) || (status = get_status (handle), status == -1)) return -1; + if (status > sizeof (struct mtop)) + { + errno = EOVERFLOW; + return -1; + } + for (; status > 0; status -= counter, argument += counter) { counter = safe_read (READ_SIDE (handle), argument, status); |