RE: [PATCH] scsi: scsi_devinfo.c: Cleaning up unnecessarily complicated in conjunction with strncpy

[Elliott, Robert (Server Storage)]

> -----Original Message-----
> From: linux-scsi-owner@xxxxxxxxxxxxxxx [mailto:linux-scsi-
> owner@xxxxxxxxxxxxxxx] On Behalf Of Rickard Strandqvist
...
> diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
...
>  static void scsi_strcpy_devinfo(char *name, char *to, size_t to_length,
>  				char *from, int compatible)
>  {
> -	size_t from_length;
> -
> -	from_length = strlen(from);
> -	strncpy(to, from, min(to_length, from_length));
> -	if (from_length < to_length) {
> -		if (compatible) {
> -			/*
> -			 * NUL terminate the string if it is short.
> -			 */
> -			to[from_length] = '\0';
> -		} else {
> -			/*
> -			 * space pad the string if it is short.
> -			 */
> -			strncpy(&to[from_length], spaces,
> -				to_length - from_length);
> -		}
> -	}
> -	if (from_length > to_length)
> -		 printk(KERN_WARNING "%s: %s string '%s' is too long\n",
> +	strncpy(to, from, to_length);
> +	if (to[to_length - 1] != '\0') {
> +		to[to_length - 1] = '\0';
> +		printk(KERN_WARNING "%s: %s string '%s' is too long\n",
>  			__func__, name, from);
> +	}

The caller of this function, scsi_dev_info_list_add_keyed, created
the "to" destination buffer, devinfo, with kmalloc, so it's not
guaranteed to be full of zeros.

If from_length is shorter than to_length, then this code will
be inspecting an uninitialized character that strncpy didn't
touch.

---
Rob Elliott    HP Server Storage





--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/