strncpy() does not ensure NULL-termination when the input string size equals to the destination buffer size 16. The output string desc is passed to a print-like function which relies on the NULL-termination. Use strlcpy() instead. This issue is detected by a Coccinelle script. Signed-off-by: Wang Xiayang <xywang.sjtu@xxxxxxxxxxx> --- drivers/scsi/mpt3sas/mpt3sas_base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 684662888792..36d4c0aed18f 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -4296,7 +4296,7 @@ _base_display_ioc_capabilities(struct MPT3SAS_ADAPTER *ioc) u32 bios_version; bios_version = le32_to_cpu(ioc->bios_pg3.BiosVersion); - strncpy(desc, ioc->manu_pg0.ChipName, 16); + strlcpy(desc, ioc->manu_pg0.ChipName, 16); ioc_info(ioc, "%s: FWVersion(%02d.%02d.%02d.%02d), ChipRevision(0x%02x), BiosVersion(%02d.%02d.%02d.%02d)\n", desc, (ioc->facts.FWVersion.Word & 0xFF000000) >> 24, -- 2.11.0
