[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 4/7] tools/blktap2: fix possible '\0' truncation
gcc-8 complains: tapdisk-vbd.c: In function 'tapdisk_vbd_resume_ring': tapdisk-vbd.c:1671:53: error: 'snprintf' output may be truncated before the last format character [-Werror=format-truncation=] snprintf(params.name, sizeof(params.name) - 1, "%s", message); ^ tapdisk-vbd.c:1671:3: note: 'snprintf' output between 1 and 256 bytes into a destination of size 255 snprintf(params.name, sizeof(params.name) - 1, "%s", message); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The "- 1" in buffer size should be actually applied to message, to leave place for terminating '\0', not the other way around (truncate '\0' even if it would fit). In function 'tapdisk_control_open_image', inlined from 'tapdisk_control_handle_request' at tapdisk-control.c:660:10: tapdisk-control.c:465:2: error: 'strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation] strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'tapdisk_control_create_socket', inlined from 'tapdisk_control_open' at tapdisk-control.c:836:9: tapdisk-control.c:793:2: error: 'strncpy' specified bound 108 equals destination size [-Werror=stringop-truncation] strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ block-qcow.c: In function 'qcow_create': block-qcow.c:1216:5: error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation] strncpy(backing_filename, backing_file, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(backing_filename)); ~~~~~~~~~~~~~~~~~~~~~~~~~ I those cases, reduce size of copied string and make sure final '\0' is added. Signed-off-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> --- tools/blktap2/drivers/block-qcow.c | 3 ++- tools/blktap2/drivers/tapdisk-control.c | 5 +++-- tools/blktap2/drivers/tapdisk-vbd.c | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/tools/blktap2/drivers/block-qcow.c b/tools/blktap2/drivers/block-qcow.c index b45bcaa..ae43922 100644 --- a/tools/blktap2/drivers/block-qcow.c +++ b/tools/blktap2/drivers/block-qcow.c @@ -1214,7 +1214,8 @@ int qcow_create(const char *filename, uint64_t total_size, if (p && (p - backing_file) >= 2) { /* URL like but exclude "c:" like filenames */ strncpy(backing_filename, backing_file, - sizeof(backing_filename)); + sizeof(backing_filename) - 1); + backing_filename[sizeof(backing_filename) - 1] = '\0'; } else { if (realpath(backing_file, backing_filename) == NULL || stat(backing_filename, &st) != 0) { diff --git a/tools/blktap2/drivers/tapdisk-control.c b/tools/blktap2/drivers/tapdisk-control.c index 0b5cf3c..3ca5713 100644 --- a/tools/blktap2/drivers/tapdisk-control.c +++ b/tools/blktap2/drivers/tapdisk-control.c @@ -462,7 +462,8 @@ tapdisk_control_open_image(struct tapdisk_control_connection *connection, params.capacity = image.size; params.sector_size = image.secsize; - strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN); + strncpy(params.name, vbd->name, BLKTAP2_MAX_MESSAGE_LEN - 1); + params.name[BLKTAP2_MAX_MESSAGE_LEN - 1] = '\0'; err = ioctl(vbd->ring.fd, BLKTAP2_IOCTL_CREATE_DEVICE, ¶ms); if (err && errno != EEXIST) { @@ -790,7 +791,7 @@ tapdisk_control_create_socket(char **socket_path) } memset(&saddr, 0, sizeof(saddr)); - strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path)); + strncpy(saddr.sun_path, td_control.path, sizeof(saddr.sun_path) - 1); saddr.sun_family = AF_UNIX; err = bind(td_control.socket, diff --git a/tools/blktap2/drivers/tapdisk-vbd.c b/tools/blktap2/drivers/tapdisk-vbd.c index fd4999a..842a427 100644 --- a/tools/blktap2/drivers/tapdisk-vbd.c +++ b/tools/blktap2/drivers/tapdisk-vbd.c @@ -1668,7 +1668,8 @@ out: params.sector_size = image.secsize; params.capacity = image.size; - snprintf(params.name, sizeof(params.name) - 1, "%s", message); + snprintf(params.name, sizeof(params.name), + "%.*s", (int)sizeof(params.name) - 1, message); ioctl(vbd->ring.fd, BLKTAP2_IOCTL_SET_PARAMS, ¶ms); td_flag_clear(vbd->state, TD_VBD_PAUSED); -- git-series 0.9.1 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |