On Sat, Mar 10, 2012 at 7:56 PM, Floris Bos <b...@je-eigen-domein.nl> wrote:
> @@ -1885,6 +1885,22 @@ int ide_init_drive(IDEState *s, BlockDriverState *bs,
> IDEDriveKind kind,
> snprintf(s->drive_serial_str, sizeof(s->drive_serial_str),
> "QM%05d", s->drive_serial);
> }
> + if (model) {
> + strncpy(s->drive_model_str, model, sizeof(s->drive_model_str));
strncpy(3) does not NUL-terminate if the max length is reached.
Either you need to use pstrcpy() or specify sizeof(s->drive_model_str)
- 1 and make sure s->drive_model_str[40] = '\0'.
> @@ -146,6 +155,9 @@ static int ide_dev_initfn(IDEDevice *dev, IDEDriveKind
> kind)
> if (!dev->serial) {
> dev->serial = g_strdup(s->drive_serial_str);
> }
> + if (!dev->model) {
> + dev->model = g_strdup(s->drive_model_str);
> + }
Seems this will never be freed but dev->serial has the same issue, so
this isn't new.
Stefan
