| Message ID | 202301091940437129873@zte.com.cn (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [linux-next] xfs: use strscpy() to instead of strncpy() | expand |
On Mon, Jan 09, 2023 at 07:40:43PM +0800, yang.yang29@zte.com.cn wrote: > From: Xu Panda <xu.panda@zte.com.cn> > > The implementation of strscpy() is more robust and safer. > That's now the recommended way to copy NUL-terminated strings. > > Signed-off-by: Xu Panda <xu.panda@zte.com.cn> > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn> Looks fine, Reviewed-by: Darrick J. Wong <djwong@kernel.org> --D > --- > fs/xfs/xfs_xattr.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c > index 10aa1fd39d2b..913c1794bc2f 100644 > --- a/fs/xfs/xfs_xattr.c > +++ b/fs/xfs/xfs_xattr.c > @@ -212,9 +212,7 @@ __xfs_xattr_put_listent( > offset = context->buffer + context->count; > memcpy(offset, prefix, prefix_len); > offset += prefix_len; > - strncpy(offset, (char *)name, namelen); /* real name */ > - offset += namelen; > - *offset = '\0'; > + strscpy(offset, (char *)name, namelen + 1); /* real name */ > > compute_size: > context->count += prefix_len + namelen + 1; > -- > 2.15.2
On Wed, Feb 01, 2023 at 04:57:02PM -0800, Darrick J. Wong wrote: > On Mon, Jan 09, 2023 at 07:40:43PM +0800, yang.yang29@zte.com.cn wrote: > > From: Xu Panda <xu.panda@zte.com.cn> > > > > The implementation of strscpy() is more robust and safer. > > That's now the recommended way to copy NUL-terminated strings. > > > > Signed-off-by: Xu Panda <xu.panda@zte.com.cn> > > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn> > > Looks fine, > Reviewed-by: Darrick J. Wong <djwong@kernel.org> > > --D > > > --- > > fs/xfs/xfs_xattr.c | 4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c > > index 10aa1fd39d2b..913c1794bc2f 100644 > > --- a/fs/xfs/xfs_xattr.c > > +++ b/fs/xfs/xfs_xattr.c > > @@ -212,9 +212,7 @@ __xfs_xattr_put_listent( > > offset = context->buffer + context->count; > > memcpy(offset, prefix, prefix_len); > > offset += prefix_len; > > - strncpy(offset, (char *)name, namelen); /* real name */ > > - offset += namelen; > > - *offset = '\0'; > > + strscpy(offset, (char *)name, namelen + 1); /* real name */ The name is not null terminated, it will result slab-out-of-bounds in strscpy(). [1] https://lore.kernel.org/linux-xfs/00000000000065a46a05f4529f59@google.com/T/#u > > > > compute_size: > > context->count += prefix_len + namelen + 1; > > -- > > 2.15.2
diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c index 10aa1fd39d2b..913c1794bc2f 100644 --- a/fs/xfs/xfs_xattr.c +++ b/fs/xfs/xfs_xattr.c @@ -212,9 +212,7 @@ __xfs_xattr_put_listent( offset = context->buffer + context->count; memcpy(offset, prefix, prefix_len); offset += prefix_len; - strncpy(offset, (char *)name, namelen); /* real name */ - offset += namelen; - *offset = '\0'; + strscpy(offset, (char *)name, namelen + 1); /* real name */ compute_size: context->count += prefix_len + namelen + 1;