Re: strncat() misuse (was: Re: dm_attr_{name,uuid}_show buffer overflow? (was: Re: linux-next: Tree for January 5))

[Alasdair G Kergon]

On Mon, Jan 05, 2009 at 11:18:38PM +0100, Geert Uytterhoeven wrote:
> On Mon, 5 Jan 2009, Geert Uytterhoeven wrote:
> > On Mon, 5 Jan 2009, Stephen Rothwell wrote:

> > |         strncat(buf, "\n", DM_NAME_LEN);
> > |         return strnlen(buf, DM_NAME_LEN);

> > Probably the intention was to limit the string in _buf_ (not the source string
> > "\n") to DM_NAME_LEN? If yes, this may cause a buffer overflow.

Both the 'n's look bogus to me as runtime checks.  But I think the code happens
to work correctly - apart from your compilation problem.

buf is always a page and both strings (name and uuid) are NULL-terminated and
the longest possible is 128 chars of uuid plus the "\n" i.e. 130 (except for a
bug I noticed on one code path which we'll fix).

Alasdair
-- 
agk@xxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/