From 6f288478697996d439ee7f4d036602fe081a39f7 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sun, 4 Dec 2022 15:41:24 -0500 Subject: [PATCH] zdb: Handle theoretical buffer overflow when printing float CodeQL pointed out that for extreme floating point values, `sprintf()` will overwrite a 32 character buffer. It cited 1e304 as an example, which causes `sprintf()` to print 308 characters. In practice, the numbers should never exceed 100, so this should not happen. To silence the warning and also handle unexpected situations, we change the code to use `snprintf()`. This was missed during my audit of our use of `sprintf()`, since I did not think to consider extreme floating point representations. It also really should not happen, so this change is purely defensive programming. This was found by CodeQL's cpp/overrunning-write-with-float check. Reviewed-by: Damian Szuberski Reviewed-by: Alexander Motin Reviewed-by: Brian Behlendorf Signed-off-by: Richard Yao Closes #14264 --- cmd/zdb/zdb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/zdb/zdb.c b/cmd/zdb/zdb.c index 9c96ba2f7170..5d267bbe8391 100644 --- a/cmd/zdb/zdb.c +++ b/cmd/zdb/zdb.c @@ -3496,9 +3496,9 @@ dump_object(objset_t *os, uint64_t object, int verbosity, zdb_nicenum(doi.doi_physical_blocks_512 << 9, asize, sizeof (asize)); zdb_nicenum(doi.doi_bonus_size, bonus_size, sizeof (bonus_size)); zdb_nicenum(doi.doi_dnodesize, dnsize, sizeof (dnsize)); - (void) sprintf(fill, "%6.2f", 100.0 * doi.doi_fill_count * - doi.doi_data_block_size / (object == 0 ? DNODES_PER_BLOCK : 1) / - doi.doi_max_offset); + (void) snprintf(fill, sizeof (fill), "%6.2f", 100.0 * + doi.doi_fill_count * doi.doi_data_block_size / (object == 0 ? + DNODES_PER_BLOCK : 1) / doi.doi_max_offset); aux[0] = '\0';