Author: gonzo Date: Mon Feb 11 07:42:32 2019 New Revision: 343998 URL: https://svnweb.freebsd.org/changeset/base/343998
Log: Fix off-by-one error in BERI virtio driver The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds.As a fix use strncpy it appends \0 only if space allows and its behavior matches virtio spec: When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is written to the buffer. The identifier should be interpreted as an ascii string. It is terminated with \0, unless it is exactly 20 bytes long. PR: 202298 Reviewed by: br MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D18852 Modified: head/sys/dev/beri/virtio/virtio_block.c Modified: head/sys/dev/beri/virtio/virtio_block.c ============================================================================== --- head/sys/dev/beri/virtio/virtio_block.c Mon Feb 11 07:09:02 2019 (r343997) +++ head/sys/dev/beri/virtio/virtio_block.c Mon Feb 11 07:42:32 2019 (r343998) @@ -187,7 +187,7 @@ vtblk_proc(struct beri_vtblk_softc *sc, struct vqueue_ break; case VIRTIO_BLK_T_GET_ID: /* Assume a single buffer */ - strlcpy(iov[1].iov_base, sc->ident, + strncpy(iov[1].iov_base, sc->ident, MIN(iov[1].iov_len, sizeof(sc->ident))); err = 0; break; @@ -401,7 +401,7 @@ backend_info(struct beri_vtblk_softc *sc) s+=1; } - sprintf(sc->ident, "Virtio block backend"); + strncpy(sc->ident, "Virtio block backend", sizeof(sc->ident)); return (0); } _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
