On Wed, 2019-03-13 at 07:56 -0400, Mikulas Patocka wrote:
> If the string opt_string is small, the function memcmp can access
> bytes
> that are beyond the terminating nul character. In theory, it could
> cause
> segfault, if opt_string were located just below some unmapped memory.
>
> This patch changes memcmp to strncmp, so that we don't read bytes
> beyond
> the end of the string.
>
> Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx # v4.12+
>
> ---
> drivers/md/dm-integrity.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> Index: linux-2.6/drivers/md/dm-integrity.c
> ===================================================================
> --- linux-2.6.orig/drivers/md/dm-integrity.c 2019-03-12
> 15:33:17.000000000 +0100
> +++ linux-2.6/drivers/md/dm-integrity.c 2019-03-12
> 15:34:49.000000000 +0100
> @@ -3185,7 +3185,7 @@ static int dm_integrity_ctr(struct dm_ta
> journal_watermark = val;
> else if (sscanf(opt_string, "commit_time:%u%c",
> &val, &dummy) == 1)
> sync_msec = val;
> - else if (!memcmp(opt_string, "meta_device:",
> strlen("meta_device:"))) {
> + else if (!strncmp(opt_string, "meta_device:",
> strlen("meta_device:"))) {
strncmp(a, b, strlen(b)) is semantically equivalent to strcmp(a,b) but
the latter is far shorter and easier so you should use it.
James
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
