From: Hannes Reinecke <hare@suse.de>
To: Arnd Bergmann <arnd@arndb.de>, Hannes Reinecke <hare@kernel.org>,
"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] scsi: myrb: fix sprintf buffer overflow warning
Date: Sat, 3 Nov 2018 09:46:49 +0100 [thread overview]
Message-ID: <6a012c05-67a5-e899-f636-db01b79dfbf2@suse.de> (raw)
In-Reply-To: <20181102153458.1567593-1-arnd@arndb.de>
On 11/2/18 4:34 PM, Arnd Bergmann wrote:
> gcc warns that the 12 byte fw_version field might not be long enough to
> contain the generated firmware name string:
>
> drivers/scsi/myrb.c: In function 'myrb_get_hba_config':
> drivers/scsi/myrb.c:1052:38: error: '%02d' directive writing between 2 and 3 bytes into a region of size between 2 and 5 [-Werror=format-overflow=]
> sprintf(cb->fw_version, "%d.%02d-%c-%02d",
> ^~~~
> drivers/scsi/myrb.c:1052:26: note: directive argument in the range [0, 255]
> sprintf(cb->fw_version, "%d.%02d-%c-%02d",
> ^~~~~~~~~~~~~~~~~
> drivers/scsi/myrb.c:1052:2: note: 'sprintf' output between 10 and 14 bytes into a destination of size 12
> sprintf(cb->fw_version, "%d.%02d-%c-%02d",
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> enquiry2->fw.major_version,
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> enquiry2->fw.minor_version,
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> enquiry2->fw.firmware_type,
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> enquiry2->fw.turn_id);
> ~~~~~~~~~~~~~~~~~~~~~
>
> I have not checked whether there are appropriate range checks before the
> sprintf, but there is a range check after it that will bail out in case
> of out of range version numbers. This means we can simply use snprintf()
> instead of sprintf() to limit the output buffer size, and it will work
> correctly.
>
> Fixes: 081ff398c56c ("scsi: myrb: Add Mylex RAID controller (block interface)")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/scsi/myrb.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/myrb.c b/drivers/scsi/myrb.c
> index aeb282f617c5..0642f2d0a3bb 100644
> --- a/drivers/scsi/myrb.c
> +++ b/drivers/scsi/myrb.c
> @@ -1049,7 +1049,8 @@ static int myrb_get_hba_config(struct myrb_hba *cb)
> enquiry2->fw.firmware_type = '0';
> enquiry2->fw.turn_id = 0;
> }
> - sprintf(cb->fw_version, "%d.%02d-%c-%02d",
> + snprintf(cb->fw_version, sizeof(cb->fw_version),
> + "%d.%02d-%c-%02d",
> enquiry2->fw.major_version,
> enquiry2->fw.minor_version,
> enquiry2->fw.firmware_type,
>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Cheers,
Hannes
next prev parent reply other threads:[~2018-11-03 8:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-02 15:34 [PATCH] scsi: myrb: fix sprintf buffer overflow warning Arnd Bergmann
2018-11-03 8:46 ` Hannes Reinecke [this message]
2018-11-06 3:35 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a012c05-67a5-e899-f636-db01b79dfbf2@suse.de \
--to=hare@suse.de \
--cc=arnd@arndb.de \
--cc=hare@kernel.org \
--cc=jejb@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).