diff mbox

elevator: fix truncation of icq_cache_name

Message ID 20170603033551.17261-1-ebiggers3@gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Eric Biggers June 3, 2017, 3:35 a.m. UTC 
From: Eric Biggers <ebiggers@google.com>

gcc 7.1 reports the following warning:

    block/elevator.c: In function ‘elv_register’:
    block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
         "%s_io_cq", e->elevator_name);
         ^~~~~~~~~~
    block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21
       snprintf(e->icq_cache_name, sizeof(e->icq_cache_name),
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         "%s_io_cq", e->elevator_name);
         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The bug is that the name of the icq_cache is 6 characters longer than
the elevator name, but only ELV_NAME_MAX + 5 characters were reserved
for it --- so in the case of a maximum-length elevator name, the 'q'
character in "_io_cq" would be truncated by snprintf().  Fix it by
reserving ELV_NAME_MAX + 6 characters instead.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 include/linux/elevator.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Bart Van Assche June 6, 2017, 5:10 p.m. UTC | #1 
On Fri, 2017-06-02 at 20:35 -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> gcc 7.1 reports the following warning:
> 
>     block/elevator.c: In function ‘elv_register’:
>     block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
>          "%s_io_cq", e->elevator_name);
>          ^~~~~~~~~~
>     block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21
>        snprintf(e->icq_cache_name, sizeof(e->icq_cache_name),
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          "%s_io_cq", e->elevator_name);
>          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> The bug is that the name of the icq_cache is 6 characters longer than
> the elevator name, but only ELV_NAME_MAX + 5 characters were reserved
> for it --- so in the case of a maximum-length elevator name, the 'q'
> character in "_io_cq" would be truncated by snprintf().  Fix it by
> reserving ELV_NAME_MAX + 6 characters instead.

Reviewed-by: Bart Van Assche <Bart.VanAssche@sandisk.com>
Jens Axboe June 6, 2017, 5:21 p.m. UTC | #2 
On 06/02/2017 09:35 PM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> gcc 7.1 reports the following warning:
> 
>     block/elevator.c: In function ‘elv_register’:
>     block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
>          "%s_io_cq", e->elevator_name);
>          ^~~~~~~~~~
>     block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21
>        snprintf(e->icq_cache_name, sizeof(e->icq_cache_name),
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          "%s_io_cq", e->elevator_name);
>          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> The bug is that the name of the icq_cache is 6 characters longer than
> the elevator name, but only ELV_NAME_MAX + 5 characters were reserved
> for it --- so in the case of a maximum-length elevator name, the 'q'
> character in "_io_cq" would be truncated by snprintf().  Fix it by
> reserving ELV_NAME_MAX + 6 characters instead.

Added, thanks.
diff mbox

Patch

diff --git a/include/linux/elevator.h b/include/linux/elevator.h
index 9ec5e22846e0..0e306c5a86d6 100644
--- a/include/linux/elevator.h
+++ b/include/linux/elevator.h
@@ -153,7 +153,7 @@  struct elevator_type
 #endif
 
 	/* managed by elevator core */
-	char icq_cache_name[ELV_NAME_MAX + 5];	/* elvname + "_io_cq" */
+	char icq_cache_name[ELV_NAME_MAX + 6];	/* elvname + "_io_cq" */
 	struct list_head list;
 };