d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix off-by-one error in BERI virtio driver

Browse Source 
The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero,
so there is one byte written out of array bounds.As a fix use strncpy it
appends \0 only if space allows and its behavior matches virtio spec:

When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is
written to the buffer. The identifier should be interpreted as an ascii string.
It is terminated with \0, unless it is exactly 20 bytes long.

PR:		202298
Reviewed by:	br
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D18852
This commit is contained in:
Oleksandr Tymoshenko 2019-02-11 07:42:32 +00:00
parent d178fee632
commit 3af08701cd
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/dev/beri/virtio/virtio_block.c
View File

@ -187,7 +187,7 @@ vtblk_proc(struct beri_vtblk_softc *sc, struct vqueue_info *vq)
break;
case VIRTIO_BLK_T_GET_ID:
/* Assume a single buffer */
strlcpy(iov[1].iov_base, sc->ident,
strncpy(iov[1].iov_base, sc->ident,
MIN(iov[1].iov_len, sizeof(sc->ident)));
err = 0;
break;
@ -401,7 +401,7 @@ backend_info(struct beri_vtblk_softc *sc)
s+=1;
}
sprintf(sc->ident, "Virtio block backend");
strncpy(sc->ident, "Virtio block backend", sizeof(sc->ident));
return (0);
}