Re: [PATCH 03/11] staging: replace weird strncpy() with memcpy()

[Arnd Bergmann]

On Mon, Apr 8, 2024, at 17:59, Dan Carpenter wrote:
> On Mon, Apr 08, 2024 at 04:45:55PM +0200, Arnd Bergmann wrote:
>> On Thu, Mar 28, 2024, at 17:35, Dan Carpenter wrote:
>> >>  	if (sendbytes > 8) {
>> >>  		memcpy(buf, inquiry_buf, 8);
>> >> -		strncpy(buf + 8, inquiry_string, sendbytes - 8);
>> >> +		memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);
>> >
>> > I think your math is off.  The string is 29 characters + NUL.  So it
>> > should be "min(sendbytes, 38) - 8".  You're chopping off the space and
>> > the NUL terminator.
>> >
>> > This only affects pro_formatter_flag code...
>> 
>> The extra two bytes were clearly a mistake in the original version
>> at the time it got added to drivers/staging. Note how the code
>> immediately below it would overwrite the space and NUL byte again:
>> 
>>         if (pro_formatter_flag) {
>>                 if (sendbytes > 36)
>>                         memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36);
>>         }
>> 
>
> Ah.  Okay.  Fair enough.
>
> I do think this code is really suspect...  What is the point of allowing
> sendbytes < 36?  But that's not related to your patch.

As far as I can tell, the driver tries to emulate the behavior
or normal scsi commands that could be issued from userspace through
SGIO with a short length. drivers/ata/libata-scsi.c has code to
handle INQUIRY as well that is somewhat similar but also different
enough that I don't trust the rts5208 version of it.

On a separate note, I just noticed that I forgot to put
the driver name into the subject line, which I've fixed
up for v2 as well now.

    Arnd