On Thu, Apr 04, 2024 at 06:33:38PM -0400, James Bottomley wrote: > But additionally this is a common pattern in SCSI: using strncpy to > zero terminate fields that may be unterminated in the exchange protocol > so we can send them to sysfs or otherwise treat them as strings. That > means we might have this problem in other drivers you've converted ... This use of copying a maybe-NUL-terminated source is yet another weird corner-case of strncpy(). :( But it's also easy to check for this "strncpy used with size matching source size but destination is bigger" case with some build instrumentation. I'll see what it turns up. -- Kees Cook
