Re: [PATCH 1/3] [v2] staging: rts5208: replace weird strncpy() with memcpy()

From: Justin Stitt
Date: Mon Apr 08 2024 - 16:28:36 EST


Hi,

On Mon, Apr 08, 2024 at 09:48:09PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@xxxxxxxx>
>
> When -Wstringop-truncation is enabled, gcc finds a function that
> always does a short copy:
>
> In function 'inquiry',
> inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3210:12:
> drivers/staging/rts5208/rtsx_scsi.c:526:17: error: 'strncpy' output truncated copying between 1 and 28 bytes from a string of length 28 [-Werror=stringop-truncation]
> 526 | strncpy(buf + 8, inquiry_string, sendbytes - 8);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> The code originally had a memcpy() that would overread the source string,
> and commit 88a5b39b69ab ("staging/rts5208: Fix read overflow in memcpy")
> fixed this but introduced the warning about truncation in the process.
>
> As Dan points out, the final space in the inquiry_string always gets
> cut off, so remove it here for clarity, leaving exactly the 28 non-NUL
> characters that can get copied into the output. In the 'pro_formatter_flag'
> this is followed by another 20 bytes from the 'formatter_inquiry_str'
> array, but there the output never contains a NUL-termination, and the
> length is known, so memcpy() is the more logical choice.
>
> Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Link: https://lore.kernel.org/lkml/695be581-548f-4e5e-a211-5f3b95568e77@moroto.mountain/
> Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
> ---
> v2: remove unneeded space byte from input string for clarity,
> rework changelog text
> ---
> drivers/staging/rts5208/rtsx_scsi.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
> index 08bd768ad34d..c27cffb9ad8f 100644
> --- a/drivers/staging/rts5208/rtsx_scsi.c
> +++ b/drivers/staging/rts5208/rtsx_scsi.c
> @@ -463,10 +463,10 @@ static unsigned char formatter_inquiry_str[20] = {
> static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip)
> {
> unsigned int lun = SCSI_LUN(srb);
> - char *inquiry_default = (char *)"Generic-xD/SD/M.S. 1.00 ";
> - char *inquiry_sdms = (char *)"Generic-SD/MemoryStick 1.00 ";
> - char *inquiry_sd = (char *)"Generic-SD/MMC 1.00 ";
> - char *inquiry_ms = (char *)"Generic-MemoryStick 1.00 ";
> + char *inquiry_default = (char *)"Generic-xD/SD/M.S. 1.00";
> + char *inquiry_sdms = (char *)"Generic-SD/MemoryStick 1.00";
> + char *inquiry_sd = (char *)"Generic-SD/MMC 1.00";
> + char *inquiry_ms = (char *)"Generic-MemoryStick 1.00";
> char *inquiry_string;
> unsigned char sendbytes;
> unsigned char *buf;
> @@ -523,7 +523,7 @@ static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip)
>
> if (sendbytes > 8) {
> memcpy(buf, inquiry_buf, 8);
> - strncpy(buf + 8, inquiry_string, sendbytes - 8);
> + memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);

I must say I am not the biggest fan of manual string management with raw
pointer offsets. I wonder if scnprintf() could achieve your goal here of
combining inquiry_buf with inquiry_string into buf (perhaps utilizing
%.*s format specifier).

With that being said, I am just a casual reader of this code and I
really don't know much about the expected behavior of `buf`
(NUL-terminated, NUL-padded, etc) or even what the next line buf[4]=0x33
does.

Your patch looks good and removes an instance of strncpy which helps
towards [1].

Reviewed-by: Justin Stitt <justinstitt@xxxxxxxxxx>

> if (pro_formatter_flag) {
> /* Additional Length */
> buf[4] = 0x33;
> --
> 2.39.2
>
>

[1]: https://github.com/KSPP/linux/issues/90

Thanks
Justin