From 06161b8f4c4ad4b7ed3e2774dba7585288614e09 Mon Sep 17 00:00:00 2001 From: rootvector2 Date: Thu, 28 May 2026 14:39:47 +0530 Subject: [PATCH] test/ringbuf-read: bound strcpy of argv[1] into fname main() copies argv[1] into the 80-byte fname[] stack buffer with an unbounded strcpy. Passing a path longer than 79 bytes overflows the buffer and clobbers the surrounding frame, e.g. $ ./ringbuf-read $(python3 -c 'print("A"*256)') triggers a stack-buffer-overflow under -fsanitize=address. Replace the strcpy with snprintf() bounded by sizeof(fname). Signed-off-by: rootvector2 --- test/ringbuf-read.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/ringbuf-read.c b/test/ringbuf-read.c index f02d935b1..1881064fc 100644 --- a/test/ringbuf-read.c +++ b/test/ringbuf-read.c @@ -137,7 +137,7 @@ int main(int argc, char *argv[]) int ret, fd, i, do_unlink; if (argc > 1) { - strcpy(fname, argv[1]); + snprintf(fname, sizeof(fname), "%s", argv[1]); do_unlink = 0; } else { sprintf(fname, ".ringbuf-read.%d", getpid());