Re: [PATCH linux-next] xfs: use strscpy() to instead of strncpy()
From: Long Li
Date: Fri Feb 10 2023 - 23:43:08 EST
On Wed, Feb 01, 2023 at 04:57:02PM -0800, Darrick J. Wong wrote:
> On Mon, Jan 09, 2023 at 07:40:43PM +0800, yang.yang29@xxxxxxxxxx wrote:
> > From: Xu Panda <xu.panda@xxxxxxxxxx>
> >
> > The implementation of strscpy() is more robust and safer.
> > That's now the recommended way to copy NUL-terminated strings.
> >
> > Signed-off-by: Xu Panda <xu.panda@xxxxxxxxxx>
> > Signed-off-by: Yang Yang <yang.yang29@xxxxxxxxxx>
>
> Looks fine,
> Reviewed-by: Darrick J. Wong <djwong@xxxxxxxxxx>
>
> --D
>
> > ---
> > fs/xfs/xfs_xattr.c | 4 +---
> > 1 file changed, 1 insertion(+), 3 deletions(-)
> >
> > diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c
> > index 10aa1fd39d2b..913c1794bc2f 100644
> > --- a/fs/xfs/xfs_xattr.c
> > +++ b/fs/xfs/xfs_xattr.c
> > @@ -212,9 +212,7 @@ __xfs_xattr_put_listent(
> > offset = context->buffer + context->count;
> > memcpy(offset, prefix, prefix_len);
> > offset += prefix_len;
> > - strncpy(offset, (char *)name, namelen); /* real name */
> > - offset += namelen;
> > - *offset = '\0';
> > + strscpy(offset, (char *)name, namelen + 1); /* real name */
The name is not null terminated, it will result slab-out-of-bounds in strscpy().
[1] https://lore.kernel.org/linux-xfs/00000000000065a46a05f4529f59@xxxxxxxxxx/T/#u
> >
> > compute_size:
> > context->count += prefix_len + namelen + 1;
> > --
> > 2.15.2