From: Joan Lledó <jlle...@member.fsf.org> * pci-arbiter/pcifs.c: * create_dir_entry: Limit to NAME_SIZE-1 when calling strncpy(). Finish entry->name with '\0'. * create_fs_tree: memset() to 0 the directory entry. Limit to NAME_SIZE-1 all calls to snprintf() and strncpy(). --- pci-arbiter/pcifs.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/pci-arbiter/pcifs.c b/pci-arbiter/pcifs.c index e68e4b8f..0ff1851c 100644 --- a/pci-arbiter/pcifs.c +++ b/pci-arbiter/pcifs.c @@ -45,7 +45,8 @@ create_dir_entry (int32_t domain, int16_t bus, int16_t dev, entry->dev = dev; entry->func = func; entry->device_class = device_class; - strncpy (entry->name, name, NAME_SIZE); + strncpy (entry->name, name, NAME_SIZE - 1); + entry->name[NAME_SIZE - 1] = '\0'; entry->parent = parent; entry->stat = stat; entry->dir = 0; @@ -193,6 +194,7 @@ create_fs_tree (struct pcifs * fs) return ENOMEM; e = list + 1; + memset (e, 0, sizeof (struct pcifs_dirent)); c_domain = c_bus = c_dev = -1; domain_parent = bus_parent = dev_parent = func_parent = 0; iter = pci_slot_match_iterator_create(&match); @@ -206,7 +208,7 @@ create_fs_tree (struct pcifs * fs) e_stat = list->stat; e_stat.st_mode &= ~S_IROOT; /* Remove the root mode */ memset (entry_name, 0, NAME_SIZE); - snprintf (entry_name, NAME_SIZE, "%04x", device->domain); + snprintf (entry_name, NAME_SIZE - 1, "%04x", device->domain); err = create_dir_entry (device->domain, -1, -1, -1, -1, entry_name, list, e_stat, 0, 0, e); @@ -224,7 +226,7 @@ create_fs_tree (struct pcifs * fs) { /* We've found a new bus. Add an entry for it */ memset (entry_name, 0, NAME_SIZE); - snprintf (entry_name, NAME_SIZE, "%02x", device->bus); + snprintf (entry_name, NAME_SIZE - 1, "%02x", device->bus); err = create_dir_entry (device->domain, device->bus, -1, -1, -1, entry_name, domain_parent, domain_parent->stat, @@ -242,7 +244,7 @@ create_fs_tree (struct pcifs * fs) { /* We've found a new dev. Add an entry for it */ memset (entry_name, 0, NAME_SIZE); - snprintf (entry_name, NAME_SIZE, "%02x", device->dev); + snprintf (entry_name, NAME_SIZE - 1, "%02x", device->dev); err = create_dir_entry (device->domain, device->bus, device->dev, -1, -1, entry_name, bus_parent, bus_parent->stat, 0, @@ -261,7 +263,7 @@ create_fs_tree (struct pcifs * fs) /* Add func entry */ memset (entry_name, 0, NAME_SIZE); - snprintf (entry_name, NAME_SIZE, "%01u", device->func); + snprintf (entry_name, NAME_SIZE - 1, "%01u", device->func); err = create_dir_entry (device->domain, device->bus, device->dev, device->func, device->device_class, entry_name, @@ -279,7 +281,7 @@ create_fs_tree (struct pcifs * fs) e_stat.st_size = PCI_CONFIG_SIZE; // FIXME: Hardcoded /* Create config entry */ - strncpy (entry_name, FILE_CONFIG_NAME, NAME_SIZE); + strncpy (entry_name, FILE_CONFIG_NAME, NAME_SIZE - 1); err = create_dir_entry (device->domain, device->bus, device->dev, device->func, device->device_class, entry_name, @@ -293,7 +295,7 @@ create_fs_tree (struct pcifs * fs) if (device->regions[j].size > 0) { e_stat.st_size = device->regions[j].size; - snprintf (entry_name, NAME_SIZE, "%s%01u", FILE_REGION_NAME, j); + snprintf (entry_name, NAME_SIZE - 1, "%s%01u", FILE_REGION_NAME, j); err = create_dir_entry (device->domain, device->bus, device->dev, device->func, device->device_class, @@ -310,7 +312,7 @@ create_fs_tree (struct pcifs * fs) /* Make rom is read only */ e_stat.st_mode &= ~(S_IWUSR | S_IWGRP); e_stat.st_size = device->rom_size; - strncpy (entry_name, FILE_ROM_NAME, NAME_SIZE); + strncpy (entry_name, FILE_ROM_NAME, NAME_SIZE - 1); err = create_dir_entry (device->domain, device->bus, device->dev, device->func, device->device_class, entry_name, -- 2.20.1