Bug 49461
| Summary: | scsi/bfa/bfad.c:1037: possible off by one in strncpy ? | ||
|---|---|---|---|
| Product: | IO/Storage | Reporter: | David Binderman (dcb314) |
| Component: | SCSI | Assignee: | linux-scsi (linux-scsi) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | alan, jz.researcher |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 3.7-rc2 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
In 3.10.9, it is correct:
scsi/bfa/bfad.c : 1036
strncpy(driver_info.os_device_name, bfad->pci_name,
sizeof(driver_info.os_device_name) - 1);
scsi/bfa/bfad.c : 1014
struct bfa_fcs_driver_info_s driver_info;
scsi/bfa/bfa_fcs.h : 672
struct bfa_fcs_driver_info_s {
u8 version[BFA_VERSION_LEN]; /* Driver Version */
u8 host_machine_name[BFA_FCS_OS_STR_LEN];
u8 host_os_name[BFA_FCS_OS_STR_LEN]; /* OS name and version */
u8 host_os_patch[BFA_FCS_OS_STR_LEN]; /* patch or service pack */
u8 os_device_name[BFA_FCS_OS_STR_LEN]; /* Driver Device Name */
};
The copy length here is (BFA_FCS_OS_STR_LEN - 1), which should be.
|
The above source code is if (os_name) strncpy(driver_info.host_os_name, os_name, sizeof(driver_info.host_os_name) - 1); if (os_patch) strncpy(driver_info.host_os_patch, os_patch, sizeof(driver_info.host_os_patch) - 1); strncpy(driver_info.os_device_name, bfad->pci_name, sizeof(driver_info.os_device_name - 1)); The last strncpy doesn't match the style of the previous ones. Maybe it should.