On Tue, Aug 06, 2024 at 09:12:21PM +0200, Martin Wilck wrote: > On Fri, 2024-08-02 at 13:26 -0400, Benjamin Marzinski wrote: > > The ontap prioritizer functions dump_cdb() and process_sg_error() > > both > > incorrectly set the snprintf() limits larger than the available > > space. > > Instead of multiplying the number of elements to print by the size of > > an > > element to calculate the limit, they multiplied the number of > > elements > > to print by the maximum number of elements that the buffer could > > hold. > > > > Fix this, and also make sure that the number of elements to print is > > less than or equal to the maximum number that the buffer can hold. > > > > Signed-off-by: Benjamin Marzinski <[email protected]> > > --- > > libmultipath/prioritizers/ontap.c | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/libmultipath/prioritizers/ontap.c > > b/libmultipath/prioritizers/ontap.c > > index 117886ea..28e663ac 100644 > > --- a/libmultipath/prioritizers/ontap.c > > +++ b/libmultipath/prioritizers/ontap.c > > @@ -39,8 +39,8 @@ static void dump_cdb(unsigned char *cdb, int size) > > char * p = &buf[0]; > > > > condlog(0, "- SCSI CDB: "); > > - for (i=0; i<size; i++) { > > - p += snprintf(p, 10*(size-i), "0x%02x ", cdb[i]); > > + for (i = 0; i < size && i < 10; i++) { > > + p += snprintf(p, 5*(size-i), "0x%02x ", cdb[i]); > > } > > This seems incorrect, too. We should pass the remaining size of the > buffer, which is ((10 - i) * 5 + 1), unless I am mistaken. It's bogus > to use the "size" variable in the calculation of the remaining buffer > size. Plus, we should break the loop if i >= 10, and check the return > value of snprintf (if we don't, we might as well use sprintf in the > first place). > > Actually, this code is horrible and we should rather use strbuf. > Strange that none of our many compilers found this, and even coverity > didn't. > > > condlog(0, "%s", buf); > > } > > @@ -56,8 +56,8 @@ static void process_sg_error(struct sg_io_hdr > > *io_hdr) > > io_hdr->host_status, io_hdr->driver_status); > > if (io_hdr->sb_len_wr > 0) { > > condlog(0, "- SCSI sense data: "); > > - for (i=0; i<io_hdr->sb_len_wr; i++) { > > - p += snprintf(p, 128*(io_hdr->sb_len_wr-i), > > "0x%02x ", > > + for (i = 0; i < io_hdr->sb_len_wr && i < 128; i++) { > > + p += snprintf(p, 5*(io_hdr->sb_len_wr-i), > > "0x%02x ", > > io_hdr->sbp[i]); > > } > > Same here, the remaining buffer size is (5 * (128 - i) + 1).
Sure. I'll send a v2. -Ben > Martin > > > condlog(0, "%s", buf);
