scsi: scsi_devinfo: handle non-terminated strings

Commit Message

Martin Wilck Nov. 27, 2017, 10:47 p.m. UTC

devinfo->vendor and devinfo->model aren't necessarily
zero-terminated.

Fixes: b8018b973c7c "scsi_devinfo: fixup string compare"
Signed-off-by: Martin Wilck <mwilck@suse.com>
---
 drivers/scsi/scsi_devinfo.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Bart Van Assche Nov. 28, 2017, 4:59 p.m. UTC | #1

On Mon, 2017-11-27 at 23:47 +0100, Martin Wilck wrote:
> devinfo->vendor and devinfo->model aren't necessarily

> zero-terminated.


Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>

Martin K. Petersen Dec. 5, 2017, 3:08 a.m. UTC | #2

Martin,

> devinfo->vendor and devinfo->model aren't necessarily
> zero-terminated.

Applied to 4.15/scsi-fixes. Thank you!

Patch

diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
index fe5a9ea27b5e..d6db5697472e 100644
--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -458,7 +458,8 @@  static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor,
 			/*
 			 * vendor strings must be an exact match
 			 */
-			if (vmax != strlen(devinfo->vendor) ||
+			if (vmax != strnlen(devinfo->vendor,
+					    sizeof(devinfo->vendor)) ||
 			    memcmp(devinfo->vendor, vskip, vmax))
 				continue;
 
@@ -466,7 +467,7 @@  static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor,
 			 * @model specifies the full string, and
 			 * must be larger or equal to devinfo->model
 			 */
-			mlen = strlen(devinfo->model);
+			mlen = strnlen(devinfo->model, sizeof(devinfo->model));
 			if (mmax < mlen || memcmp(devinfo->model, mskip, mlen))
 				continue;
 			return devinfo;