strncpy() does not ensure NULL-termination when the input string
size equals to the destination buffer size LPFC_MAX_DATA_CTRL_LEN.
The output string bucket_data is passed to strsep() which relies
on NULL-termination.
Use strlcpy() instead.
Signed-off-by: Wang Xiayang <xywang.s...@sjtu.edu.cn>
---
drivers/scsi/lpfc/lpfc_attr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
index ea62322ffe2b..ca3fdc9857fb 100644
--- a/drivers/scsi/lpfc/lpfc_attr.c
+++ b/drivers/scsi/lpfc/lpfc_attr.c
@@ -4197,7 +4197,7 @@ lpfc_stat_data_ctrl_store(struct device *dev, struct
device_attribute *attr,
if (strlen(buf) > (LPFC_MAX_DATA_CTRL_LEN - 1))
return -EINVAL;
- strncpy(bucket_data, buf, LPFC_MAX_DATA_CTRL_LEN);
+ strlcpy(bucket_data, buf, LPFC_MAX_DATA_CTRL_LEN);
str_ptr = &bucket_data[0];
/* Ignore this token - this is command token */
token = strsep(&str_ptr, "\t ");
--
2.11.0
