[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <288e65c39f355531c91761b330e530a6336631dd.camel@HansenPartnership.com>
Date: Fri, 03 May 2024 08:36:56 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: David Yang <mmyangfl@...il.com>, linux-block@...r.kernel.org
Cc: Jens Axboe <axboe@...nel.dk>, Xu Panda <xu.panda@....com.cn>, Justin
Stitt <justinstitt@...gle.com>, Yang Yang <yang.yang29@....com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] block: fix buf size for strscpy()
On Fri, 2024-05-03 at 15:48 +0800, David Yang wrote:
> strscpy() takes the total size of destination buffer as the argument,
> including the space for the terminating null character.
>
> The actual length of the buffer should be len(str) + 1, which can be
> seen from the indexes where null characters are written in the code
> before the commit in question, and 'sizeof(buf) - 1' right above
> the problematic codes.
>
> Without the additional 1 size and the absence of checkes against -
> E2BIG, strscpy() will angrily eat the last character of the source
> string. In my situation, strscpy() will take away one character
> before the comma "," (which is presumably the right bracket ")") in
> parse_parts(), making parse_subpart() unable to 'strchr(++partdef,
> ')')' and producing the following error message:
>
> cmdline partition format is invalid.
This is the same problem we brought up with the strscpy conversions in
scsi:
https://lore.kernel.org/all/784db8a20a3ddeb6c0498f2b31719e5198da6581.camel@HansenPartnership.com/
strscpy doesn't correctly replace a function of strncpy we used to get
a zero termination for a possibly unterminated string with a
destination that's one byte larger than the source. The current
proposed fix is this one:
https://lore.kernel.org/all/20240410021833.work.750-kees@kernel.org/
James
Powered by blists - more mailing lists