On Wed, 13 Mar 2019, James Bottomley wrote:
> On Wed, 2019-03-13 at 07:56 -0400, Mikulas Patocka wrote:
> > If the string opt_string is small, the function memcmp can access
> > bytes
> > that are beyond the terminating nul character. In theory, it could
> > cause
> > segfault, if opt_string were located just below some unmapped memory.
> >
> > This patch changes memcmp to strncmp, so that we don't read bytes
> > beyond
> > the end of the string.
> >
> > Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx # v4.12+
> >
> > ---
> > drivers/md/dm-integrity.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > Index: linux-2.6/drivers/md/dm-integrity.c
> > ===================================================================
> > --- linux-2.6.orig/drivers/md/dm-integrity.c 2019-03-12
> > 15:33:17.000000000 +0100
> > +++ linux-2.6/drivers/md/dm-integrity.c 2019-03-12
> > 15:34:49.000000000 +0100
> > @@ -3185,7 +3185,7 @@ static int dm_integrity_ctr(struct dm_ta
> > journal_watermark = val;
> > else if (sscanf(opt_string, "commit_time:%u%c",
> > &val, &dummy) == 1)
> > sync_msec = val;
> > - else if (!memcmp(opt_string, "meta_device:",
> > strlen("meta_device:"))) {
> > + else if (!strncmp(opt_string, "meta_device:",
> > strlen("meta_device:"))) {
>
> strncmp(a, b, strlen(b)) is semantically equivalent to strcmp(a,b) but
> the latter is far shorter and easier so you should use it.
>
> James
No, it isn't.
strncmp("blabla", "bla", strlen("bla") returns zero.
strcmp("blabla", "bla") reurns a positive number.
Mikulas
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
