Print this page
6314 buffer overflow in dsl_dataset_name
@@ -666,13 +666,19 @@
* We use a "recursive" mutex so that we
* can call dprintf_ds() with ds_lock held.
*/
if (!MUTEX_HELD(&ds->ds_lock)) {
mutex_enter(&ds->ds_lock);
+ VERIFY3U(strlen(name) +
+ strlen(ds->ds_snapname) + 1, <=,
+ ZFS_MAXNAMELEN);
(void) strcat(name, ds->ds_snapname);
mutex_exit(&ds->ds_lock);
} else {
+ VERIFY3U(strlen(name) +
+ strlen(ds->ds_snapname) + 1, <=,
+ ZFS_MAXNAMELEN);
(void) strcat(name, ds->ds_snapname);
}
}
}
}