On 10/02/2017 03:50 PM, Jastrzebski, MichalX K wrote:
-----Original Message-----
From: dev [mailto:[email protected]] On Behalf Of Michal Jastrzebski
Sent: Friday, September 22, 2017 3:08 PM
To: [email protected]; [email protected]
Cc: [email protected]; Jain, Deepak K <[email protected]>; Piasecki,
JacekX <[email protected]>; Liu, Changpeng
<[email protected]>; [email protected]
Subject: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated
From: Jacek Piasecki <[email protected]>
Fix size of buffer in strcpy. There was possible to get
not terminated string after copy operation.
Coverity issue: 158631
Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app")
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Jacek Piasecki <[email protected]>
---
examples/vhost_scsi/scsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c
index 54d3104..de9639a 100644
--- a/examples/vhost_scsi/scsi.c
+++ b/examples/vhost_scsi/scsi.c
@@ -307,7 +307,8 @@
strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8);
/* PRODUCT IDENTIFICATION */
- strncpy((char *)inqdata->product_id, bdev->product_name,
16);
+ strncpy((char *)inqdata->product_id, bdev->product_name,
+ ARRAY_SIZE(inqdata->product_id) - 1);
Does it assume that product_id is memzero'ed before?
IIUC strncpy manpage, it wouldn't protect against non-null terminated
strings if it is not the case:
"
A simple implementation of strncpy() might be:
char *
strncpy(char *dest, const char *src, size_t n)
{
size_t i;
for (i = 0; i < n && src[i] != '\0'; i++)
dest[i] = src[i];
for ( ; i < n; i++)
dest[i] = '\0';
return dest;
}
"
Cheers,
Maxime
/* PRODUCT REVISION LEVEL */
strncpy((char *)inqdata->product_rev, "0001", 4);
--
1.9.1
Hi Yu / Maxime,
I would like to ask for a feedback regarding proposed fix.
If everything is ok with it, please send acked-by.
Best regards
Michal.
