14/01/2019 17:24, Stephen Hemminger:
> On Mon, 14 Jan 2019 13:29:38 +0000
> Ferruh Yigit <ferruh.yi...@intel.com> wrote:
>
> > On 1/14/2019 6:04 AM, Chaitanya Babu Talluri wrote:
> > > Strcat does not check the destination length and there might be
> > > chances of string overflow so insted of strcat, strncat is used.
> > >
> > > Fixes: 540a211084 ("bnx2x: driver core")
> > > Fixes: e163c18a15 ("net/i40e: update ptype and pctype info")
> > > Fixes: ef28aa96e5 ("net/nfp: support multiprocess")
> > > Fixes: 6f4eec2565 ("test/crypto: enhance scheduler unit tests")
> > > Cc: sta...@dpdk.org
> > >
> > > Signed-off-by: Chaitanya Babu Talluri <tallurix.chaitanya.b...@intel.com>
> > >
> >
> > <...>
> >
> > > @@ -685,11 +687,11 @@ nfp_acquire_secondary_process_lock(struct
> > > nfp_pcie_user *desc)
> > > * driver is used because that implies root user.
> > > */
> > > home_path = getenv("HOME");
> > > - lockfile = calloc(strlen(home_path) + strlen(lockname) + 1,
> > > + lockfile = calloc(LOCKFILE_HOME_PATH + strlen(lockname) + 1,
> > > sizeof(char));
> > >
> > > - strcat(lockfile, home_path);
> > > - strcat(lockfile, "/.lock_nfp_secondary");
> > > + strncat(lockfile, home_path, LOCKFILE_HOME_PATH);
> > > + strncat(lockfile, lockname, strlen(lockfile));
> >
> > I guess this need to be 'LOCKFILE_HOME_PATH - strlen(lockfile) - 1' instead.
> > But also this can be implemented as 'snprintf()'
> >
> > Since 'lockfile' allocated dynamically based on sizes of existing strings,
> > using
> > 'lockname' instead of "/.lock_nfp_secondary" will show that there won't be
> > any
> > overflow but tools still may be complaining about 'strcat' usage.
> >
> >
>
> Why not use vasprintf() instead of doing manual construction?
Any update please?
