On Fri, 2024-08-02 at 13:26 -0400, Benjamin Marzinski wrote:
> The ontap prioritizer functions dump_cdb() and process_sg_error()
> both
> incorrectly set the snprintf() limits larger than the available
> space.
> Instead of multiplying the number of elements to print by the size of
> an
> element to calculate the limit, they multiplied the number of
> elements
> to print by the maximum number of elements that the buffer could
> hold.
>
> Fix this, and also make sure that the number of elements to print is
> less than or equal to the maximum number that the buffer can hold.
>
> Signed-off-by: Benjamin Marzinski <bmarzins@xxxxxxxxxx>
> ---
> libmultipath/prioritizers/ontap.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/libmultipath/prioritizers/ontap.c
> b/libmultipath/prioritizers/ontap.c
> index 117886ea..28e663ac 100644
> --- a/libmultipath/prioritizers/ontap.c
> +++ b/libmultipath/prioritizers/ontap.c
> @@ -39,8 +39,8 @@ static void dump_cdb(unsigned char *cdb, int size)
> char * p = &buf[0];
>
> condlog(0, "- SCSI CDB: ");
> - for (i=0; i<size; i++) {
> - p += snprintf(p, 10*(size-i), "0x%02x ", cdb[i]);
> + for (i = 0; i < size && i < 10; i++) {
> + p += snprintf(p, 5*(size-i), "0x%02x ", cdb[i]);
> }
This seems incorrect, too. We should pass the remaining size of the
buffer, which is ((10 - i) * 5 + 1), unless I am mistaken. It's bogus
to use the "size" variable in the calculation of the remaining buffer
size. Plus, we should break the loop if i >= 10, and check the return
value of snprintf (if we don't, we might as well use sprintf in the
first place).
Actually, this code is horrible and we should rather use strbuf.
Strange that none of our many compilers found this, and even coverity
didn't.
> condlog(0, "%s", buf);
> }
> @@ -56,8 +56,8 @@ static void process_sg_error(struct sg_io_hdr
> *io_hdr)
> io_hdr->host_status, io_hdr->driver_status);
> if (io_hdr->sb_len_wr > 0) {
> condlog(0, "- SCSI sense data: ");
> - for (i=0; i<io_hdr->sb_len_wr; i++) {
> - p += snprintf(p, 128*(io_hdr->sb_len_wr-i),
> "0x%02x ",
> + for (i = 0; i < io_hdr->sb_len_wr && i < 128; i++) {
> + p += snprintf(p, 5*(io_hdr->sb_len_wr-i),
> "0x%02x ",
> io_hdr->sbp[i]);
> }
Same here, the remaining buffer size is (5 * (128 - i) + 1).
Martin
> condlog(0, "%s", buf);
