From: Arnd Bergmann <arnd@xxxxxxxx>
When -Wstringop-truncation is enabled, gcc finds a function that
always does a short copy:
In function 'inquiry',
inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3210:12:
drivers/staging/rts5208/rtsx_scsi.c:526:17: error: 'strncpy' output truncated copying between 1 and 28 bytes from a string of length 28 [-Werror=stringop-truncation]
526 | strncpy(buf + 8, inquiry_string, sendbytes - 8);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since the actual size of the copy is already known at this point, just
copy the bytes directly and skip the length check and zero-padding.
This partially reverts an earlier bugfix that replaced the original
incorrect memcpy() with a less bad strncpy(), but it now also avoids
the original overflow.
Fixes: 88a5b39b69ab ("staging/rts5208: Fix read overflow in memcpy")
Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
---
drivers/staging/rts5208/rtsx_scsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
index 08bd768ad34d..a73b0959f5a9 100644
--- a/drivers/staging/rts5208/rtsx_scsi.c
+++ b/drivers/staging/rts5208/rtsx_scsi.c
@@ -523,7 +523,7 @@ static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip)
if (sendbytes > 8) {
memcpy(buf, inquiry_buf, 8);
- strncpy(buf + 8, inquiry_string, sendbytes - 8);
+ memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);
if (pro_formatter_flag) {
/* Additional Length */
buf[4] = 0x33;
--
2.39.2
