Re: [PATCH] Fix buffer overrun issue of lld name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 10 Dec 2013 18:25:34 +0900
Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> wrote:

> The string buffer of lld name in tgtadm_req struct (req->lld) will not
> be null-terminated if user specifies very long lld name for the
> argument of -L or --lld option.
> 
> This is because the lld name is copied with strncpy function and its
> size argument is the same as buffer size.  In such a case, strncpy()
> can truncate the string without appending a terminating null byte.
> 
> As a result, accesses to the lld name in mtask_execute function, for
> instance, strlen(req->lld) or eprintf("...%s\n", req->lld), can
> overrun.
> 
> This patch fixes the issue by setting a terminating null byte at the
> end of the lld name buffer before mtask_execute() uses it.
> 
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx>
> ---
>  usr/mgmt.c |    2 ++
>  1 file changed, 2 insertions(+)

Looks good. Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux SCSI]     [Linux RAID]     [Linux Clusters]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]

  Powered by Linux