File 0090-mdadm-device_name_buffer_overflow.patch of Package mdadm.8063

Subject: mdadm: prevent device name buffer overflow
References: bsc#1090819, bsc#1032339

This patch is added for bsc#1090819, which is suggested by
Josef Cejka. The original patch is a fix for bsc#1032339 and
only has code difference, Coly Li adds this patch header to
record more information.

Signed-off-by: Josef Cejka <jcejka@suse.com>
Index: mdadm-3.4/mdopen.c
===================================================================
--- mdadm-3.4.orig/mdopen.c
+++ mdadm-3.4/mdopen.c
@@ -304,7 +304,10 @@ int create_mddev(char *dev, char *name,
 	if (num < 0 && cname && ci->names) {
 		int fd;
 		int n = -1;
-		sprintf(devnm, "md_%s", cname);
+		if (snprintf(devnm, sizeof(devnm), "md_%s", cname) >= sizeof(devnm)) {
+			pr_err("Device name md_%s must be shorter than %d bytes.\n", cname, sizeof(devnm));
+			return -1;
+		}
 		fd = open("/sys/module/md_mod/parameters/new_array", O_WRONLY);
 		if (fd < 0 && errno == ENOENT) {
 			system("modprobe md_mod");
@@ -348,7 +351,10 @@ int create_mddev(char *dev, char *name,
 		}
 	}
 
-	sprintf(devname, "/dev/%s", devnm);
+	if (snprintf(devname, sizeof(devname), "/dev/%s", devnm) >= sizeof(devname)) {
+		pr_err("Device path /dev/%s must be shorter than %d bytes.\n", devnm, sizeof(devname));
+		return -1;
+	}
 
 	if (dev && dev[0] == '/')
 		strcpy(chosen, dev);