On Tue, 10 Dec 2013 18:25:34 +0900 Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> wrote: > The string buffer of lld name in tgtadm_req struct (req->lld) will not > be null-terminated if user specifies very long lld name for the > argument of -L or --lld option. > > This is because the lld name is copied with strncpy function and its > size argument is the same as buffer size. In such a case, strncpy() > can truncate the string without appending a terminating null byte. > > As a result, accesses to the lld name in mtask_execute function, for > instance, strlen(req->lld) or eprintf("...%s\n", req->lld), can > overrun. > > This patch fixes the issue by setting a terminating null byte at the > end of the lld name buffer before mtask_execute() uses it. > > Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> > --- > usr/mgmt.c | 2 ++ > 1 file changed, 2 insertions(+) Looks good. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html