From 14ebbce280c875c99abad0714b59a28ddb22a8de Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sat, 2 Jul 2016 19:59:32 +0200
Subject: [PATCH] Avoid buffer overflow in uuid_or_device.

The function uuid_or_device is prone to a buffer overflow if a very long
spec has been defined. The range check happens against PATH_MAX, with
i being set to 5 (due to "UUID=" offset of spec), but "/dev/disk/by-uuid"
has been already written into device.

The difference between "/dev/disk/by-uuid" and "UUID=" is 13, therefore
the correct range check must happen against PATH_MAX - 13.
@@ -204,7 +204,7 @@ const char *uuid_or_device(const char *spec)
                strcpy(device, "/dev/disk/by-uuid/");
---
 src/utils_tools.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/utils_tools.c b/src/utils_tools.c
index acd9708c..ce841592 100644
--- a/src/utils_tools.c
+++ b/src/utils_tools.c
@@ -204,7 +204,7 @@ const char *uuid_or_device(const char *spec)
 		strcpy(device, "/dev/disk/by-uuid/");
 		ptr = &device[strlen(device)];
 		i = uuid_len;
-		while ((s = spec[i++]) && i < PATH_MAX) {
+		while ((s = spec[i++]) && i < (PATH_MAX - 13)) {
 			if (!isxdigit(s) && s != '-')
 				return spec; /* Bail it out */
 			if (isalpha(s))