The string buffer of lld name in tgtadm_req struct (req->lld) will not
be null-terminated if user specifies very long lld name for the
argument of -L or --lld option.
This is because the lld name is copied with strncpy function and its
size argument is the same as buffer size. In such a case, strncpy()
can truncate the string without appending a terminating null byte.
As a result, accesses to the lld name in mtask_execute function, for
instance, strlen(req->lld) or eprintf("...%s\n", req->lld), can
overrun.
This patch fixes the issue by setting a terminating null byte at the
end of the lld name buffer before mtask_execute() uses it.
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx>
---
usr/mgmt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/usr/mgmt.c b/usr/mgmt.c
index e795555..1eae0c9 100644
--- a/usr/mgmt.c
+++ b/usr/mgmt.c
@@ -479,6 +479,8 @@ static tgtadm_err mtask_execute(struct mgmt_task *mtask)
int lld_no;
tgtadm_err adm_err = TGTADM_INVALID_REQUEST;
+ req->lld[TGT_LLD_NAME_LEN - 1] = '\0';
+
if (!strlen(req->lld))
lld_no = 0;
else {
--
1.7.9.3
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
