On Wed, Feb 21, 2024 at 11:50:26PM +0000, Justin Stitt wrote:
> strncpy() is deprecated [1] and as such we should use different apis to
> copy string data.
>
> We can see that ct is NUL-initialized with fc_ct_hdr_fill:
> | ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn) + len,
> ...
>
> In fc_ct_hdr_fill():
> | memset(ct, 0, ct_plen);
>
> We also calculate the length of the source string:
> | len = strnlen(fc_host_symbolic_name(lport->host), 255);
>
> ...then this argument is used in strncpy(), which is bad because the
> pattern of (dest, src, strlen(src)) usually leaves the destination
> buffer without NUL-termination. However, it looks as though we do not
> require NUL-termination since fr_name is part of a seq_buf-like
> structure wherein its length is monitored:
> | struct fc_ns_rspn {
> | struct fc_ns_fid fr_fid; /* port ID object */
> | __u8 fr_name_len;
> | char fr_name[];
> | } __attribute__((__packed__));
>
> So, this is really just a byte copy into a length-bounded buffer. Let's
> use memcpy().
>
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@xxxxxxxxxxxxxxx
> Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx>
Thanks for the refresh! This looks right to me.
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
--
Kees Cook
