> -----Original Message----- > From: linux-scsi-ow...@vger.kernel.org [mailto:linux-scsi- > ow...@vger.kernel.org] On Behalf Of Rickard Strandqvist ... > diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c ... > static void scsi_strcpy_devinfo(char *name, char *to, size_t to_length, > char *from, int compatible) > { > - size_t from_length; > - > - from_length = strlen(from); > - strncpy(to, from, min(to_length, from_length)); > - if (from_length < to_length) { > - if (compatible) { > - /* > - * NUL terminate the string if it is short. > - */ > - to[from_length] = '\0'; > - } else { > - /* > - * space pad the string if it is short. > - */ > - strncpy(&to[from_length], spaces, > - to_length - from_length); > - } > - } > - if (from_length > to_length) > - printk(KERN_WARNING "%s: %s string '%s' is too long\n", > + strncpy(to, from, to_length); > + if (to[to_length - 1] != '\0') { > + to[to_length - 1] = '\0'; > + printk(KERN_WARNING "%s: %s string '%s' is too long\n", > __func__, name, from); > + }
The caller of this function, scsi_dev_info_list_add_keyed, created the "to" destination buffer, devinfo, with kmalloc, so it's not guaranteed to be full of zeros. If from_length is shorter than to_length, then this code will be inspecting an uninitialized character that strncpy didn't touch. --- Rob Elliott HP Server Storage -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
