There's currently a warning about string overflow with strncat:
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe':
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified
bound 64 equals destination size [-Werror=stringop-overflow=]
strncat(vscsi->eye, vdev->name, MAX_EYE);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Switch to using strlcat which correctly accounts for lengths that
are equal to the destination buffer.
Signed-off-by: Laura Abbott <[email protected]>
---
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
index fac377320158..53d344d8dc43 100644
--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
@@ -3475,7 +3475,7 @@ static int ibmvscsis_probe(struct vio_dev *vdev,
vscsi->dds.window[REMOTE].liobn);
strcpy(vscsi->eye, "VSCSI ");
- strncat(vscsi->eye, vdev->name, MAX_EYE);
+ strlcat(vscsi->eye, vdev->name, MAX_EYE);
vscsi->dds.unit_id = vdev->unit_address;
strncpy(vscsi->dds.partition_name, partition_name,
--
2.17.1
On Mon, Sep 10, 2018 at 3:37 PM, Laura Abbott <[email protected]> wrote:
> There's currently a warning about string overflow with strncat:
>
> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe':
> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified
> bound 64 equals destination size [-Werror=stringop-overflow=]
> strncat(vscsi->eye, vdev->name, MAX_EYE);
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Switch to using strlcat which correctly accounts for lengths that
> are equal to the destination buffer.
>
> Signed-off-by: Laura Abbott <[email protected]>
> ---
> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
> index fac377320158..53d344d8dc43 100644
> --- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
> +++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
> @@ -3475,7 +3475,7 @@ static int ibmvscsis_probe(struct vio_dev *vdev,
> vscsi->dds.window[REMOTE].liobn);
>
> strcpy(vscsi->eye, "VSCSI ");
> - strncat(vscsi->eye, vdev->name, MAX_EYE);
> + strlcat(vscsi->eye, vdev->name, MAX_EYE);
Can this just get switched to snprintf() instead?
snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI%s", vdev->name);
> vscsi->dds.unit_id = vdev->unit_address;
> strncpy(vscsi->dds.partition_name, partition_name,
And does this strncpy need a NUL-termination and/or trailing padding?
-Kees
--
Kees Cook
Pixel Security
On 9/10/18 6:30 PM, Kees Cook wrote:
> On Mon, Sep 10, 2018 at 3:37 PM, Laura Abbott <[email protected]> wrote:
>> There's currently a warning about string overflow with strncat:
>>
>> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe':
>> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified
>> bound 64 equals destination size [-Werror=stringop-overflow=]
>> strncat(vscsi->eye, vdev->name, MAX_EYE);
>> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Switch to using strlcat which correctly accounts for lengths that
>> are equal to the destination buffer.
>>
>> Signed-off-by: Laura Abbott <[email protected]>
>> ---
>> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
>> index fac377320158..53d344d8dc43 100644
>> --- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
>> +++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
>> @@ -3475,7 +3475,7 @@ static int ibmvscsis_probe(struct vio_dev *vdev,
>> vscsi->dds.window[REMOTE].liobn);
>>
>> strcpy(vscsi->eye, "VSCSI ");
>> - strncat(vscsi->eye, vdev->name, MAX_EYE);
>> + strlcat(vscsi->eye, vdev->name, MAX_EYE);
> Can this just get switched to snprintf() instead?
>
> snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI%s", vdev->name);
Either works for me.
>
>> vscsi->dds.unit_id = vdev->unit_address;
>> strncpy(vscsi->dds.partition_name, partition_name,
> And does this strncpy need a NUL-termination and/or trailing padding?
>
Yes, good catch, it does need NUL-termination.
-Bryant
On 09/11/2018 07:34 AM, Bryant G. Ly wrote:
> On 9/10/18 6:30 PM, Kees Cook wrote:
>
>> On Mon, Sep 10, 2018 at 3:37 PM, Laura Abbott <[email protected]> wrote:
>>> There's currently a warning about string overflow with strncat:
>>>
>>> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe':
>>> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified
>>> bound 64 equals destination size [-Werror=stringop-overflow=]
>>> strncat(vscsi->eye, vdev->name, MAX_EYE);
>>> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>> Switch to using strlcat which correctly accounts for lengths that
>>> are equal to the destination buffer.
>>>
>>> Signed-off-by: Laura Abbott <[email protected]>
>>> ---
>>> drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
>>> index fac377320158..53d344d8dc43 100644
>>> --- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
>>> +++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
>>> @@ -3475,7 +3475,7 @@ static int ibmvscsis_probe(struct vio_dev *vdev,
>>> vscsi->dds.window[REMOTE].liobn);
>>>
>>> strcpy(vscsi->eye, "VSCSI ");
>>> - strncat(vscsi->eye, vdev->name, MAX_EYE);
>>> + strlcat(vscsi->eye, vdev->name, MAX_EYE);
>> Can this just get switched to snprintf() instead?
>>
>> snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI%s", vdev->name);
>
> Either works for me.
>
I'll switch to the snprintf since that's cleaner.
>>
>>> vscsi->dds.unit_id = vdev->unit_address;
>>> strncpy(vscsi->dds.partition_name, partition_name,
>> And does this strncpy need a NUL-termination and/or trailing padding?
>>
> Yes, good catch, it does need NUL-termination.
>
I can send that cleanup in a second patch.
> -Bryant
>
>