[dpdk-dev,v3] examples/vhost_scsi: fix buffer not terminated
Checks
Commit Message
Use snprintf instead strncpy to get safe null string termination.
There was possible to get not terminated string after strncpy operation.
Coverity issue: 158631
Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app")
Cc: changpeng.liu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com>
---
examples/vhost_scsi/scsi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
On 10/12/2017 01:34 PM, Jacek Piasecki wrote:
> Use snprintf instead strncpy to get safe null string termination.
> There was possible to get not terminated string after strncpy operation.
>
> Coverity issue: 158631
> Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app")
> Cc: changpeng.liu@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com>
> ---
> examples/vhost_scsi/scsi.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c
> index 54d3104..2de3110 100644
> --- a/examples/vhost_scsi/scsi.c
> +++ b/examples/vhost_scsi/scsi.c
> @@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev,
> strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8);
>
> /* PRODUCT IDENTIFICATION */
> - strncpy((char *)inqdata->product_id, bdev->product_name, 16);
> + snprintf((char *)inqdata->product_id,
> + ARRAY_SIZE(inqdata->product_id), "%s",
> + bdev->product_name);
>
> /* PRODUCT REVISION LEVEL */
> strncpy((char *)inqdata->product_rev, "0001", 4);
>
Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Thanks,
Maxime
On Fri, Oct 13, 2017 at 09:12:33AM +0200, Maxime Coquelin wrote:
>
>
> On 10/12/2017 01:34 PM, Jacek Piasecki wrote:
> >Use snprintf instead strncpy to get safe null string termination.
> >There was possible to get not terminated string after strncpy operation.
> >
> >Coverity issue: 158631
> >Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app")
> >Cc: changpeng.liu@intel.com
> >Cc: stable@dpdk.org
> >
> >Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com>
> >---
> > examples/vhost_scsi/scsi.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> >diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c
> >index 54d3104..2de3110 100644
> >--- a/examples/vhost_scsi/scsi.c
> >+++ b/examples/vhost_scsi/scsi.c
> >@@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev,
> > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8);
> > /* PRODUCT IDENTIFICATION */
> >- strncpy((char *)inqdata->product_id, bdev->product_name, 16);
> >+ snprintf((char *)inqdata->product_id,
> >+ ARRAY_SIZE(inqdata->product_id), "%s",
> >+ bdev->product_name);
> > /* PRODUCT REVISION LEVEL */
> > strncpy((char *)inqdata->product_rev, "0001", 4);
> >
>
> Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Firstly, sorry for being so late response. And,
Applied to dpdk-next-virtio. Thanks!
--yliu
17/10/2017 15:26, Yuanhan Liu:
> On Fri, Oct 13, 2017 at 09:12:33AM +0200, Maxime Coquelin wrote:
> > On 10/12/2017 01:34 PM, Jacek Piasecki wrote:
> > >--- a/examples/vhost_scsi/scsi.c
> > >+++ b/examples/vhost_scsi/scsi.c
> > >@@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev,
> > > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8);
> > > /* PRODUCT IDENTIFICATION */
> > >- strncpy((char *)inqdata->product_id, bdev->product_name, 16);
> > >+ snprintf((char *)inqdata->product_id,
> > >+ ARRAY_SIZE(inqdata->product_id), "%s",
> > >+ bdev->product_name);
> > > /* PRODUCT REVISION LEVEL */
> > > strncpy((char *)inqdata->product_rev, "0001", 4);
> >
> > Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com>
>
> Firstly, sorry for being so late response. And,
>
> Applied to dpdk-next-virtio. Thanks!
I don't know where this ARRAY_SIZE comes from.
It does not compile.
In DPDK you can use RTE_DIM.
This patch is removed from the next-virtio pull queue.
@@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev,
strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8);
/* PRODUCT IDENTIFICATION */
- strncpy((char *)inqdata->product_id, bdev->product_name, 16);
+ snprintf((char *)inqdata->product_id,
+ ARRAY_SIZE(inqdata->product_id), "%s",
+ bdev->product_name);
/* PRODUCT REVISION LEVEL */
strncpy((char *)inqdata->product_rev, "0001", 4);