diff options
author | Oleksandr Tymoshenko <gonzo@FreeBSD.org> | 2019-02-11 07:42:32 +0000 |
---|---|---|
committer | Oleksandr Tymoshenko <gonzo@FreeBSD.org> | 2019-02-11 07:42:32 +0000 |
commit | 3af08701cd5e734620cac6ea1e051c316869fdf9 (patch) | |
tree | 658c67e45ce0524833660a472d0f06e079116e70 | |
parent | d178fee632ca8cc891cf33737bb8ca94a2a9555e (diff) | |
download | src-3af08701cd5e734620cac6ea1e051c316869fdf9.tar.gz src-3af08701cd5e734620cac6ea1e051c316869fdf9.zip |
Fix off-by-one error in BERI virtio driver
The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero,
so there is one byte written out of array bounds.As a fix use strncpy it
appends \0 only if space allows and its behavior matches virtio spec:
When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is
written to the buffer. The identifier should be interpreted as an ascii string.
It is terminated with \0, unless it is exactly 20 bytes long.
PR: 202298
Reviewed by: br
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D18852
Notes
Notes:
svn path=/head/; revision=343998
-rw-r--r-- | sys/dev/beri/virtio/virtio_block.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/beri/virtio/virtio_block.c b/sys/dev/beri/virtio/virtio_block.c index 50bb7f3a53bd..7c8a03966a39 100644 --- a/sys/dev/beri/virtio/virtio_block.c +++ b/sys/dev/beri/virtio/virtio_block.c @@ -187,7 +187,7 @@ vtblk_proc(struct beri_vtblk_softc *sc, struct vqueue_info *vq) break; case VIRTIO_BLK_T_GET_ID: /* Assume a single buffer */ - strlcpy(iov[1].iov_base, sc->ident, + strncpy(iov[1].iov_base, sc->ident, MIN(iov[1].iov_len, sizeof(sc->ident))); err = 0; break; @@ -401,7 +401,7 @@ backend_info(struct beri_vtblk_softc *sc) s+=1; } - sprintf(sc->ident, "Virtio block backend"); + strncpy(sc->ident, "Virtio block backend", sizeof(sc->ident)); return (0); } |