illumos-mainline Sdiff usr/src/uts/common/fs/zfs/dsl

Print this page

6314 buffer overflow in dsl_dataset_name

 651 {
 652         return (!refcount_is_zero(&ds->ds_longholds));
 653 }
 654 
 655 void
 656 dsl_dataset_name(dsl_dataset_t *ds, char *name)
 657 {
 658         if (ds == NULL) {
 659                 (void) strcpy(name, "mos");
 660         } else {
 661                 dsl_dir_name(ds->ds_dir, name);
 662                 VERIFY0(dsl_dataset_get_snapname(ds));
 663                 if (ds->ds_snapname[0]) {
 664                         (void) strcat(name, "@");
 665                         /*
 666                          * We use a "recursive" mutex so that we
 667                          * can call dprintf_ds() with ds_lock held.
 668                          */
 669                         if (!MUTEX_HELD(&ds->ds_lock)) {
 670                                 mutex_enter(&ds->ds_lock);



 671                                 (void) strcat(name, ds->ds_snapname);
 672                                 mutex_exit(&ds->ds_lock);
 673                         } else {



 674                                 (void) strcat(name, ds->ds_snapname);
 675                         }
 676                 }
 677         }
 678 }
 679 
 680 void
 681 dsl_dataset_rele(dsl_dataset_t *ds, void *tag)
 682 {
 683         dmu_buf_rele(ds->ds_dbuf, tag);
 684 }
 685 
 686 void
 687 dsl_dataset_disown(dsl_dataset_t *ds, void *tag)
 688 {
 689         ASSERT3P(ds->ds_owner, ==, tag);
 690         ASSERT(ds->ds_dbuf != NULL);
 691 
 692         mutex_enter(&ds->ds_lock);
 693         ds->ds_owner = NULL;

 651 {
 652         return (!refcount_is_zero(&ds->ds_longholds));
 653 }
 654 
 655 void
 656 dsl_dataset_name(dsl_dataset_t *ds, char *name)
 657 {
 658         if (ds == NULL) {
 659                 (void) strcpy(name, "mos");
 660         } else {
 661                 dsl_dir_name(ds->ds_dir, name);
 662                 VERIFY0(dsl_dataset_get_snapname(ds));
 663                 if (ds->ds_snapname[0]) {
 664                         (void) strcat(name, "@");
 665                         /*
 666                          * We use a "recursive" mutex so that we
 667                          * can call dprintf_ds() with ds_lock held.
 668                          */
 669                         if (!MUTEX_HELD(&ds->ds_lock)) {
 670                                 mutex_enter(&ds->ds_lock);
 671                                 VERIFY3U(strlen(name) +
 672                                          strlen(ds->ds_snapname) + 1, <=,
 673                                          ZFS_MAXNAMELEN);
 674                                 (void) strcat(name, ds->ds_snapname);
 675                                 mutex_exit(&ds->ds_lock);
 676                         } else {
 677                                 VERIFY3U(strlen(name) +
 678                                          strlen(ds->ds_snapname) + 1, <=,
 679                                          ZFS_MAXNAMELEN);
 680                                 (void) strcat(name, ds->ds_snapname);
 681                         }
 682                 }
 683         }
 684 }
 685 
 686 void
 687 dsl_dataset_rele(dsl_dataset_t *ds, void *tag)
 688 {
 689         dmu_buf_rele(ds->ds_dbuf, tag);
 690 }
 691 
 692 void
 693 dsl_dataset_disown(dsl_dataset_t *ds, void *tag)
 694 {
 695         ASSERT3P(ds->ds_owner, ==, tag);
 696         ASSERT(ds->ds_dbuf != NULL);
 697 
 698         mutex_enter(&ds->ds_lock);
 699         ds->ds_owner = NULL;