On Tue, 10 Dec 2013 18:25:34 +0900
Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> wrote:
> The string buffer of lld name in tgtadm_req struct (req->lld) will not
> be null-terminated if user specifies very long lld name for the
> argument of -L or --lld option.
>
> This is because the lld name is copied with strncpy function and its
> size argument is the same as buffer size. In such a case, strncpy()
> can truncate the string without appending a terminating null byte.
>
> As a result, accesses to the lld name in mtask_execute function, for
> instance, strlen(req->lld) or eprintf("...%s\n", req->lld), can
> overrun.
>
> This patch fixes the issue by setting a terminating null byte at the
> end of the lld name buffer before mtask_execute() uses it.
>
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx>
> ---
> usr/mgmt.c | 2 ++
> 1 file changed, 2 insertions(+)
Looks good. Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
