| Message ID | 2edd8cb2811c90d6a65861379593680f233ade14.1721020542.git.wqu@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs-progs: convert: fix the rollback filename output | expand |
diff --git a/convert/main.c b/convert/main.c index 8e73aa25b1da..dfb9f44f6f75 100644 --- a/convert/main.c +++ b/convert/main.c @@ -1720,7 +1720,7 @@ static int do_rollback(const char *devname) if (name_len > sizeof(dir_name)) name_len = sizeof(dir_name) - 1; read_extent_buffer(path.nodes[0], dir_name, (unsigned long)(root_ref_item + 1), name_len); - dir_name[sizeof(dir_name) - 1] = 0; + dir_name[name_len] = 0; printf(" Restoring from: %s/%s\n", dir_name, image_name);
[BUG] When rolling back a converted btrfs, the filename output is corrupted: $ btrfs-convert -r ~/test.img btrfs-convert from btrfs-progs v6.9.2 Open filesystem for rollback: Label: UUID: df54baf3-c91e-4956-96f9-99413a857576 Restoring from: ext2_saved0ƨy/image ^^^ Corruption Rollback succeeded [CAUSE] The error is in how we handle the filename. In btrfs all our strings are not '\0' terminated, but with explicit length. But in C, most strings are '\0' terminated, so after reading a filename from btrfs, we need to manually terminate the string. However the code adding the terminating '\0' looks like this: /* Get the filename length. */ name_len = btrfs_root_ref_name_len(path.nodes[0], root_ref_item); /* * This should not happen, but as an extra handling for possible * corrupted btrfs. */ if (name_len > sizeof(dir_name)) name_len = sizeof(dir_name) - 1; /* Got the real filename into our buffer. */ read_extent_buffer(path.nodes[0], dir_name, (unsigned long)(root_ref_item + 1), name_len); /* Terminate the string. */ dir_name[sizeof(dir_name) - 1] = 0; The problem is, the final termination is totally wrong, it always make the last buffer char '\0', not using the @name_len we read before. [FIX] Use @name_len to terminate the string, as we have already updated it to handle buffer overflow, it can handle both the regular and corrupted case. Fixes: dc29a5c51d63 ("btrfs-progs: convert: update default output") Signed-off-by: Qu Wenruo <wqu@suse.com> --- convert/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)