Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753150AbZAFB3R (ORCPT ); Mon, 5 Jan 2009 20:29:17 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751293AbZAFB3C (ORCPT ); Mon, 5 Jan 2009 20:29:02 -0500 Received: from mx2.redhat.com ([66.187.237.31]:42884 "EHLO mx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750774AbZAFB3A (ORCPT ); Mon, 5 Jan 2009 20:29:00 -0500 Date: Tue, 6 Jan 2009 01:27:59 +0000 From: Alasdair G Kergon To: Geert Uytterhoeven Cc: Stephen Rothwell , Milan Broz , Jaya Kumar , Laurent Pinchart , Mauro Carvalho Chehab , Gene Sally , Sam Ravnborg , Andrew Morton , linux-next@vger.kernel.org, LKML Subject: Re: strncat() misuse (was: Re: dm_attr_{name,uuid}_show buffer overflow? (was: Re: linux-next: Tree for January 5)) Message-ID: <20090106012759.GA3512@agk.fab.redhat.com> Mail-Followup-To: Alasdair G Kergon , Geert Uytterhoeven , Stephen Rothwell , Milan Broz , Jaya Kumar , Laurent Pinchart , Mauro Carvalho Chehab , Gene Sally , Sam Ravnborg , Andrew Morton , linux-next@vger.kernel.org, LKML References: <20090105173517.deeff918.sfr@canb.auug.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Organization: Red Hat UK Ltd. Registered in England and Wales, number 03798903. Registered Office: Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE. Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1031 Lines: 25 On Mon, Jan 05, 2009 at 11:18:38PM +0100, Geert Uytterhoeven wrote: > On Mon, 5 Jan 2009, Geert Uytterhoeven wrote: > > On Mon, 5 Jan 2009, Stephen Rothwell wrote: > > | strncat(buf, "\n", DM_NAME_LEN); > > | return strnlen(buf, DM_NAME_LEN); > > Probably the intention was to limit the string in _buf_ (not the source string > > "\n") to DM_NAME_LEN? If yes, this may cause a buffer overflow. Both the 'n's look bogus to me as runtime checks. But I think the code happens to work correctly - apart from your compilation problem. buf is always a page and both strings (name and uuid) are NULL-terminated and the longest possible is 128 chars of uuid plus the "\n" i.e. 130 (except for a bug I noticed on one code path which we'll fix). Alasdair -- agk@redhat.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/