From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alasdair G Kergon Subject: Re: strncat() misuse (was: Re: dm_attr_{name,uuid}_show buffer overflow? (was: Re: linux-next: Tree for January 5)) Date: Tue, 6 Jan 2009 01:27:59 +0000 Message-ID: <20090106012759.GA3512@agk.fab.redhat.com> References: <20090105173517.deeff918.sfr@canb.auug.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx2.redhat.com ([66.187.237.31]:42884 "EHLO mx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750774AbZAFB3A (ORCPT ); Mon, 5 Jan 2009 20:29:00 -0500 Content-Disposition: inline In-Reply-To: Sender: linux-next-owner@vger.kernel.org List-ID: To: Geert Uytterhoeven Cc: Stephen Rothwell , Milan Broz , Jaya Kumar , Laurent Pinchart , Mauro Carvalho Chehab , Gene Sally , Sam Ravnborg , Andrew Morton , linux-next@vger.kernel.org, LKML On Mon, Jan 05, 2009 at 11:18:38PM +0100, Geert Uytterhoeven wrote: > On Mon, 5 Jan 2009, Geert Uytterhoeven wrote: > > On Mon, 5 Jan 2009, Stephen Rothwell wrote: > > | strncat(buf, "\n", DM_NAME_LEN); > > | return strnlen(buf, DM_NAME_LEN); > > Probably the intention was to limit the string in _buf_ (not the source string > > "\n") to DM_NAME_LEN? If yes, this may cause a buffer overflow. Both the 'n's look bogus to me as runtime checks. But I think the code happens to work correctly - apart from your compilation problem. buf is always a page and both strings (name and uuid) are NULL-terminated and the longest possible is 128 chars of uuid plus the "\n" i.e. 130 (except for a bug I noticed on one code path which we'll fix). Alasdair -- agk@redhat.com