Hi Andi,
Anyway we cannot keep strcpy, if name is not NULL terminated case,
msg.name is overflowed.
Trying to find some safe design pattern about that, I've found strscpy:
https://lwn.net/Articles/643376/
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30c44659f4a3e7
On Wed, Jan 03, 2018 at 09:40:04AM +, Hugues FRUCHET wrote:
> Hi Andi,
> Thanks for the patch but I would suggest to use strlcpy instead, this
> will guard msg.name overwriting and add the NULL termination in case
> of truncation:
> - memcpy(msg.name, name, sizeof(msg.name));
> - msg.n
Hi Andi,
Thanks for the patch but I would suggest to use strlcpy instead, this
will guard msg.name overwriting and add the NULL termination in case
of truncation:
- memcpy(msg.name, name, sizeof(msg.name));
- msg.name[sizeof(msg.name) - 1] = 0;
+ strlcpy(msg.name, name, sizeof(ms
From: Andi Kleen
The single caller passes a string to delta_ipc_open, which copies with a
fixed size larger than the string. So it copies some random data after
the original string the ro segment.
If the string was at the end of a page it may fault.
Just copy the string with a normal strcpy aft
4 matches
Mail list logo
