On Wed, Feb 01, 2023 at 04:57:02PM -0800, Darrick J. Wong wrote: > On Mon, Jan 09, 2023 at 07:40:43PM +0800, yang.yang29@xxxxxxxxxx wrote: > > From: Xu Panda <xu.panda@xxxxxxxxxx> > > > > The implementation of strscpy() is more robust and safer. > > That's now the recommended way to copy NUL-terminated strings. > > > > Signed-off-by: Xu Panda <xu.panda@xxxxxxxxxx> > > Signed-off-by: Yang Yang <yang.yang29@xxxxxxxxxx> > > Looks fine, > Reviewed-by: Darrick J. Wong <djwong@xxxxxxxxxx> > > --D > > > --- > > fs/xfs/xfs_xattr.c | 4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c > > index 10aa1fd39d2b..913c1794bc2f 100644 > > --- a/fs/xfs/xfs_xattr.c > > +++ b/fs/xfs/xfs_xattr.c > > @@ -212,9 +212,7 @@ __xfs_xattr_put_listent( > > offset = context->buffer + context->count; > > memcpy(offset, prefix, prefix_len); > > offset += prefix_len; > > - strncpy(offset, (char *)name, namelen); /* real name */ > > - offset += namelen; > > - *offset = '\0'; > > + strscpy(offset, (char *)name, namelen + 1); /* real name */ The name is not null terminated, it will result slab-out-of-bounds in strscpy(). [1] https://lore.kernel.org/linux-xfs/00000000000065a46a05f4529f59@xxxxxxxxxx/T/#u > > > > compute_size: > > context->count += prefix_len + namelen + 1; > > -- > > 2.15.2
