On 04/09/09 19:08, Alok Aggarwal wrote: > > On Thu, 9 Apr 2009, jan damborsky wrote: > >>> td_mg.c: line 2058: Back tracking through the call chain >>> I can see that the passed in char *disk, is really a >>> disk_info_t.disk_name which is a char *. In other words >>> the disk_name is unbounded. In all likelihood it will >>> be <MAXPATHLEN, but what is the effect on target discovery >>> if it isn't (esp line 2097)? >> >> The assumption made here was based on following consideration: >> partition/slice device name is also part of path in /dev/ directory, >> e.g. /dev/dsk/<disk_name><slice_name> - and its total size is limited >> to MAXPATHLEN, since it is regular path. >> Since we are dealing only with '<disk_name><slice_name>' part here, >> its size has is always <MAXPATHLEN. If mangled/invalid disk name is >> provided, this is not right place to decide and take correct action, >> the only thing we could do here is to be robust and avoid buffer >> overflow which is assured by using snprintf. > > Okay, sounds reasonable. > > I'm fine with the updated webrev.
Thanks for review ! Jan
