From c1fd8656459a347c98abd40ae55df3074b152081 Mon Sep 17 00:00:00 2001
From: Cyrill Gorcunov <gorcunov@openvz.org>
Date: Thu, 26 Dec 2013 12:56:31 +0400
Subject: [PATCH] files: link remap -- Fix potential buffer overrun

If the former file had a path long enough to be near
PATH_MAX limit, sprintf'ing link_remap.%d here might
overrun the limit. Use snprintf instead.

Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
---
 files-reg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files-reg.c b/files-reg.c
index 65c182d0d..542764a54 100644
--- a/files-reg.c
+++ b/files-reg.c
@@ -379,7 +379,7 @@ static int create_link_remap(char *path, int len, int lfd, u32 *idp)
 	rfe.name	= link_name + 1;
 
 	/* Any 'unique' name works here actually. Remap works by reg-file ids. */
-	sprintf(tmp + 1, "link_remap.%d", rfe.id);
+	snprintf(tmp + 1, sizeof(link_name) - (size_t)(tmp - link_name - 1), "link_remap.%d", rfe.id);
 
 	if (linkat(lfd, "", mntns_root, link_name, AT_EMPTY_PATH) < 0) {
 		pr_perror("Can't link remap to %s", path);