From: Vasily Gorbik <g...@linux.ibm.com>

[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ]

arch/s390/mm/extmem.c: In function '__segment_load':
arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals
source length [-Wstringop-overflow=]
  strncat(seg->res_name, " (DCSS)", 7);

What gcc complains about here is the misuse of strncat function, which
in this case does not limit a number of bytes taken from "src", so it is
in the end the same as strcat(seg->res_name, " (DCSS)");

Keeping in mind that a res_name is 15 bytes, strncat in this case
would overflow the buffer and write 0 into alignment byte between the
fields in the struct. To avoid that increasing res_name size to 16,
and reusing strlcat.

Reviewed-by: Heiko Carstens <heiko.carst...@de.ibm.com>
Signed-off-by: Vasily Gorbik <g...@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidef...@de.ibm.com>
Signed-off-by: Sasha Levin <alexander.le...@microsoft.com>
---
 arch/s390/mm/extmem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/s390/mm/extmem.c b/arch/s390/mm/extmem.c
index 02042b6b66bf..e6665a6e105e 100644
--- a/arch/s390/mm/extmem.c
+++ b/arch/s390/mm/extmem.c
@@ -79,7 +79,7 @@ struct qin64 {
 struct dcss_segment {
        struct list_head list;
        char dcss_name[8];
-       char res_name[15];
+       char res_name[16];
        unsigned long start_addr;
        unsigned long end;
        atomic_t ref_count;
@@ -432,7 +432,7 @@ __segment_load (char *name, int do_nonshared, unsigned long 
*addr, unsigned long
        memcpy(&seg->res_name, seg->dcss_name, 8);
        EBCASC(seg->res_name, 8);
        seg->res_name[8] = '\0';
-       strncat(seg->res_name, " (DCSS)", 7);
+       strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name));
        seg->res->name = seg->res_name;
        rc = seg->vm_segtype;
        if (rc == SEG_TYPE_SC ||
-- 
2.17.1

Reply via email to