strncpy() does not ensure NULL-termination when the input string size equals to the destination buffer size LPFC_MAX_DATA_CTRL_LEN. The output string bucket_data is passed to strsep() which relies on NULL-termination. Use strlcpy() instead. Signed-off-by: Wang Xiayang <xywang.sjtu@xxxxxxxxxxx> --- drivers/scsi/lpfc/lpfc_attr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c index ea62322ffe2b..ca3fdc9857fb 100644 --- a/drivers/scsi/lpfc/lpfc_attr.c +++ b/drivers/scsi/lpfc/lpfc_attr.c @@ -4197,7 +4197,7 @@ lpfc_stat_data_ctrl_store(struct device *dev, struct device_attribute *attr, if (strlen(buf) > (LPFC_MAX_DATA_CTRL_LEN - 1)) return -EINVAL; - strncpy(bucket_data, buf, LPFC_MAX_DATA_CTRL_LEN); + strlcpy(bucket_data, buf, LPFC_MAX_DATA_CTRL_LEN); str_ptr = &bucket_data[0]; /* Ignore this token - this is command token */ token = strsep(&str_ptr, "\t "); -- 2.11.0
