From owner-svn-src-all@freebsd.org Sat Mar 23 23:43:34 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 638F61560EFE; Sat, 23 Mar 2019 23:43:34 +0000 (UTC) (envelope-from gonzo@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F17A488965; Sat, 23 Mar 2019 23:43:33 +0000 (UTC) (envelope-from gonzo@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E46A6FC18; Sat, 23 Mar 2019 23:43:33 +0000 (UTC) (envelope-from gonzo@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2NNhXj2010433; Sat, 23 Mar 2019 23:43:33 GMT (envelope-from gonzo@FreeBSD.org) Received: (from gonzo@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2NNhXsB010432; Sat, 23 Mar 2019 23:43:33 GMT (envelope-from gonzo@FreeBSD.org) Message-Id: <201903232343.x2NNhXsB010432@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gonzo set sender to gonzo@FreeBSD.org using -f From: Oleksandr Tymoshenko Date: Sat, 23 Mar 2019 23:43:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r345462 - stable/12/sys/dev/beri/virtio X-SVN-Group: stable-12 X-SVN-Commit-Author: gonzo X-SVN-Commit-Paths: stable/12/sys/dev/beri/virtio X-SVN-Commit-Revision: 345462 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: F17A488965 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.94 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Mar 2019 23:43:34 -0000 Author: gonzo Date: Sat Mar 23 23:43:33 2019 New Revision: 345462 URL: https://svnweb.freebsd.org/changeset/base/345462 Log: MFC r343998: Fix off-by-one error in BERI virtio driver The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds.As a fix use strncpy it appends \0 only if space allows and its behavior matches virtio spec: When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is written to the buffer. The identifier should be interpreted as an ascii string. It is terminated with \0, unless it is exactly 20 bytes long. PR: 202298 Reviewed by: br Differential Revision: https://reviews.freebsd.org/D18852 Modified: stable/12/sys/dev/beri/virtio/virtio_block.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/dev/beri/virtio/virtio_block.c ============================================================================== --- stable/12/sys/dev/beri/virtio/virtio_block.c Sat Mar 23 22:56:03 2019 (r345461) +++ stable/12/sys/dev/beri/virtio/virtio_block.c Sat Mar 23 23:43:33 2019 (r345462) @@ -187,7 +187,7 @@ vtblk_proc(struct beri_vtblk_softc *sc, struct vqueue_ break; case VIRTIO_BLK_T_GET_ID: /* Assume a single buffer */ - strlcpy(iov[1].iov_base, sc->ident, + strncpy(iov[1].iov_base, sc->ident, MIN(iov[1].iov_len, sizeof(sc->ident))); err = 0; break; @@ -401,7 +401,7 @@ backend_info(struct beri_vtblk_softc *sc) s+=1; } - sprintf(sc->ident, "Virtio block backend"); + strncpy(sc->ident, "Virtio block backend", sizeof(sc->ident)); return (0); }