rpc_clnt_set_nodename() appears to assume that the return
value from strlcpy() is the size of the copied string. It
is not. It is the size of the string that strlcpy() was
asked to copy. If truncation happened, the return value
will be longer than the buffer.
So we need to compare the returned value with the buffer size-1
and record the smaller of the two.
Signed-off-by: NeilBrown <neilb@xxxxxxxx>
---
net/sunrpc/clnt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index b5cb921775a0..b62ab1a7bb98 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -287,6 +287,9 @@ static void rpc_clnt_set_nodename(struct rpc_clnt *clnt, const char *nodename)
{
clnt->cl_nodelen = strlcpy(clnt->cl_nodename,
nodename, sizeof(clnt->cl_nodename));
+ if (clnt->cl_nodelen >= sizeof(clnt->cl_nodename))
+ /* nodename was truncated... */
+ clnt->cl_nodelen = sizeof(clnt->cl_nodelen) - 1;
}
static int rpc_client_register(struct rpc_clnt *clnt,
--
2.12.2
Attachment:
signature.asc
Description: PGP signature
