[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.9] tools/blktap2: fix possible '\0' truncation



commit 1eae17268887bacbc598ef6e3290059dbeb4fd8f
Author:     Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
AuthorDate: Thu Apr 5 03:50:52 2018 +0200
Commit:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
CommitDate: Fri Jun 12 17:01:39 2020 +0100

    tools/blktap2: fix possible '\0' truncation
    
    gcc-8 complains:
    
        tapdisk-vbd.c: In function 'tapdisk_vbd_resume_ring':
        tapdisk-vbd.c:1671:53: error: 'snprintf' output may be truncated before 
the last format character [-Werror=format-truncation=]
           snprintf(params.name, sizeof(params.name) - 1, "%s", message);
                                                             ^
        tapdisk-vbd.c:1671:3: note: 'snprintf' output between 1 and 256 bytes 
into a destination of size 255
           snprintf(params.name, sizeof(params.name) - 1, "%s", message);
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    The "- 1" in buffer size should be actually applied to message, to leave
    place for terminating '\0', not the other way around (truncate '\0' even
    if it would fit).
    
        In function 'tapdisk_control_open_image',
            inlined from 'tapdisk_control_handle_request' at 
tapdisk-control.c:660:10:
        tapdisk-control.c:465:2: error: 'strncpy' specified bound 256 equals 
destination size [-Werror=stringop-truncation]
          strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN);
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
        In function 'tapdisk_control_create_socket',
            inlined from 'tapdisk_control_open' at tapdisk-control.c:836:9:
        tapdisk-control.c:793:2: error: 'strncpy' specified bound 108 equals 
destination size [-Werror=stringop-truncation]
          strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path));
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
        block-qcow.c: In function 'qcow_create':
        block-qcow.c:1216:5: error: 'strncpy' specified bound 4096 equals 
destination size [-Werror=stringop-truncation]
             strncpy(backing_filename, backing_file,
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
              sizeof(backing_filename));
              ~~~~~~~~~~~~~~~~~~~~~~~~~
    
    I those cases, reduce size of copied string and make sure final '\0' is
    added.
    
    Signed-off-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
    Acked-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    Release-Acked-by: Juergen Gross <jgross@xxxxxxxx>
    (cherry picked from commit 850e89b3ef1a7be6b71fa7ae22333c884e08431a)
---
 tools/blktap2/drivers/block-qcow.c      | 3 ++-
 tools/blktap2/drivers/tapdisk-control.c | 5 +++--
 tools/blktap2/drivers/tapdisk-vbd.c     | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/tools/blktap2/drivers/block-qcow.c 
b/tools/blktap2/drivers/block-qcow.c
index b45bcaa077..ae439221ab 100644
--- a/tools/blktap2/drivers/block-qcow.c
+++ b/tools/blktap2/drivers/block-qcow.c
@@ -1214,7 +1214,8 @@ int qcow_create(const char *filename, uint64_t total_size,
                        if (p && (p - backing_file) >= 2) {
                                /* URL like but exclude "c:" like filenames */
                                strncpy(backing_filename, backing_file,
-                                       sizeof(backing_filename));
+                                       sizeof(backing_filename) - 1);
+                               backing_filename[sizeof(backing_filename) - 1] 
= '\0';
                        } else {
                                if (realpath(backing_file, backing_filename) == 
NULL ||
                                    stat(backing_filename, &st) != 0) {
diff --git a/tools/blktap2/drivers/tapdisk-control.c 
b/tools/blktap2/drivers/tapdisk-control.c
index 0b5cf3cdd3..3ca5713063 100644
--- a/tools/blktap2/drivers/tapdisk-control.c
+++ b/tools/blktap2/drivers/tapdisk-control.c
@@ -462,7 +462,8 @@ tapdisk_control_open_image(struct 
tapdisk_control_connection *connection,
 
        params.capacity = image.size;
        params.sector_size = image.secsize;
-       strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN);
+       strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN - 1);
+       params.name[BLKTAP2_MAX_MESSAGE_LEN - 1] = '\0';
 
        err = ioctl(vbd->ring.fd, BLKTAP2_IOCTL_CREATE_DEVICE, &params);
        if (err && errno != EEXIST) {
@@ -790,7 +791,7 @@ tapdisk_control_create_socket(char **socket_path)
        }
 
        memset(&saddr, 0, sizeof(saddr));
-       strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path));
+       strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path) - 1);
        saddr.sun_family = AF_UNIX;
 
        err = bind(td_control.socket,
diff --git a/tools/blktap2/drivers/tapdisk-vbd.c 
b/tools/blktap2/drivers/tapdisk-vbd.c
index fd4999a5ec..842a427861 100644
--- a/tools/blktap2/drivers/tapdisk-vbd.c
+++ b/tools/blktap2/drivers/tapdisk-vbd.c
@@ -1668,7 +1668,8 @@ out:
 
                params.sector_size = image.secsize;
                params.capacity    = image.size;
-               snprintf(params.name, sizeof(params.name) - 1, "%s", message);
+               snprintf(params.name, sizeof(params.name),
+                        "%.*s", (int)sizeof(params.name) - 1, message);
 
                ioctl(vbd->ring.fd, BLKTAP2_IOCTL_SET_PARAMS, &params);
                td_flag_clear(vbd->state, TD_VBD_PAUSED);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.9



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.