[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.9] tools/blktap2: fix possible '\0' truncation
commit 1eae17268887bacbc598ef6e3290059dbeb4fd8f Author: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> AuthorDate: Thu Apr 5 03:50:52 2018 +0200 Commit: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> CommitDate: Fri Jun 12 17:01:39 2020 +0100 tools/blktap2: fix possible '\0' truncation gcc-8 complains: tapdisk-vbd.c: In function 'tapdisk_vbd_resume_ring': tapdisk-vbd.c:1671:53: error: 'snprintf' output may be truncated before the last format character [-Werror=format-truncation=] snprintf(params.name, sizeof(params.name) - 1, "%s", message); ^ tapdisk-vbd.c:1671:3: note: 'snprintf' output between 1 and 256 bytes into a destination of size 255 snprintf(params.name, sizeof(params.name) - 1, "%s", message); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The "- 1" in buffer size should be actually applied to message, to leave place for terminating '\0', not the other way around (truncate '\0' even if it would fit). In function 'tapdisk_control_open_image', inlined from 'tapdisk_control_handle_request' at tapdisk-control.c:660:10: tapdisk-control.c:465:2: error: 'strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation] strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'tapdisk_control_create_socket', inlined from 'tapdisk_control_open' at tapdisk-control.c:836:9: tapdisk-control.c:793:2: error: 'strncpy' specified bound 108 equals destination size [-Werror=stringop-truncation] strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ block-qcow.c: In function 'qcow_create': block-qcow.c:1216:5: error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation] strncpy(backing_filename, backing_file, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(backing_filename)); ~~~~~~~~~~~~~~~~~~~~~~~~~ I those cases, reduce size of copied string and make sure final '\0' is added. Signed-off-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> Acked-by: Wei Liu <wei.liu2@xxxxxxxxxx> Release-Acked-by: Juergen Gross <jgross@xxxxxxxx> (cherry picked from commit 850e89b3ef1a7be6b71fa7ae22333c884e08431a) --- tools/blktap2/drivers/block-qcow.c | 3 ++- tools/blktap2/drivers/tapdisk-control.c | 5 +++-- tools/blktap2/drivers/tapdisk-vbd.c | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/tools/blktap2/drivers/block-qcow.c b/tools/blktap2/drivers/block-qcow.c index b45bcaa077..ae439221ab 100644 --- a/tools/blktap2/drivers/block-qcow.c +++ b/tools/blktap2/drivers/block-qcow.c @@ -1214,7 +1214,8 @@ int qcow_create(const char *filename, uint64_t total_size, if (p && (p - backing_file) >= 2) { /* URL like but exclude "c:" like filenames */ strncpy(backing_filename, backing_file, - sizeof(backing_filename)); + sizeof(backing_filename) - 1); + backing_filename[sizeof(backing_filename) - 1] = '\0'; } else { if (realpath(backing_file, backing_filename) == NULL || stat(backing_filename, &st) != 0) { diff --git a/tools/blktap2/drivers/tapdisk-control.c b/tools/blktap2/drivers/tapdisk-control.c index 0b5cf3cdd3..3ca5713063 100644 --- a/tools/blktap2/drivers/tapdisk-control.c +++ b/tools/blktap2/drivers/tapdisk-control.c @@ -462,7 +462,8 @@ tapdisk_control_open_image(struct tapdisk_control_connection *connection, params.capacity = image.size; params.sector_size = image.secsize; - strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN); + strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN - 1); + params.name[BLKTAP2_MAX_MESSAGE_LEN - 1] = '\0'; err = ioctl(vbd->ring.fd, BLKTAP2_IOCTL_CREATE_DEVICE, ¶ms); if (err && errno != EEXIST) { @@ -790,7 +791,7 @@ tapdisk_control_create_socket(char **socket_path) } memset(&saddr, 0, sizeof(saddr)); - strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path)); + strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path) - 1); saddr.sun_family = AF_UNIX; err = bind(td_control.socket, diff --git a/tools/blktap2/drivers/tapdisk-vbd.c b/tools/blktap2/drivers/tapdisk-vbd.c index fd4999a5ec..842a427861 100644 --- a/tools/blktap2/drivers/tapdisk-vbd.c +++ b/tools/blktap2/drivers/tapdisk-vbd.c @@ -1668,7 +1668,8 @@ out: params.sector_size = image.secsize; params.capacity = image.size; - snprintf(params.name, sizeof(params.name) - 1, "%s", message); + snprintf(params.name, sizeof(params.name), + "%.*s", (int)sizeof(params.name) - 1, message); ioctl(vbd->ring.fd, BLKTAP2_IOCTL_SET_PARAMS, ¶ms); td_flag_clear(vbd->state, TD_VBD_PAUSED); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.9
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |