| Message ID | 1491850297-18235-1-git-send-email-javier@cnexlabs.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, 2017-04-10 at 20:51 +0200, Javier González wrote: > Convert sprintf calls to snprintf in order to make possible buffer > overflow more obvious. > > Signed-off-by: Javier González <javier@cnexlabs.com> > --- > drivers/lightnvm/core.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c > index c3340ef..bdbb333 100644 > --- a/drivers/lightnvm/core.c > +++ b/drivers/lightnvm/core.c > @@ -272,7 +272,8 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create) > goto err_disk; > blk_queue_make_request(tqueue, tt->make_rq); > > - sprintf(tdisk->disk_name, "%s", create->tgtname); > + snprintf(tdisk->disk_name, sizeof(tdisk->disk_name), "%s", > + create->tgtname); > tdisk->flags = GENHD_FL_EXT_DEVT; > tdisk->major = 0; > tdisk->first_minor = 0; > @@ -1195,13 +1196,13 @@ static long nvm_ioctl_get_devices(struct file *file, void __user *arg) > list_for_each_entry(dev, &nvm_devices, devices) { > struct nvm_ioctl_device_info *info = &devices->info[i]; > > - sprintf(info->devname, "%s", dev->name); > + snprintf(info->devname, sizeof(info->devname), "%s", dev->name); > > /* kept for compatibility */ > info->bmversion[0] = 1; > info->bmversion[1] = 0; > info->bmversion[2] = 0; > - sprintf(info->bmname, "%s", "gennvm"); > + snprintf(info->bmname, sizeof(info->bmname), "%s", "gennvm"); > i++; > > if (i > 31) { Hello Javier, Although the above changes look fine to me, have you considered to use strlcpy() instead of snprintf() for these string copy operations? Bart.
> On 10 Apr 2017, at 20.56, Bart Van Assche <Bart.VanAssche@sandisk.com> wrote: > > On Mon, 2017-04-10 at 20:51 +0200, Javier González wrote: >> Convert sprintf calls to snprintf in order to make possible buffer >> overflow more obvious. >> >> Signed-off-by: Javier González <javier@cnexlabs.com> >> --- >> drivers/lightnvm/core.c | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c >> index c3340ef..bdbb333 100644 >> --- a/drivers/lightnvm/core.c >> +++ b/drivers/lightnvm/core.c >> @@ -272,7 +272,8 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create) >> goto err_disk; >> blk_queue_make_request(tqueue, tt->make_rq); >> >> - sprintf(tdisk->disk_name, "%s", create->tgtname); >> + snprintf(tdisk->disk_name, sizeof(tdisk->disk_name), "%s", >> + create->tgtname); >> tdisk->flags = GENHD_FL_EXT_DEVT; >> tdisk->major = 0; >> tdisk->first_minor = 0; >> @@ -1195,13 +1196,13 @@ static long nvm_ioctl_get_devices(struct file *file, void __user *arg) >> list_for_each_entry(dev, &nvm_devices, devices) { >> struct nvm_ioctl_device_info *info = &devices->info[i]; >> >> - sprintf(info->devname, "%s", dev->name); >> + snprintf(info->devname, sizeof(info->devname), "%s", dev->name); >> >> /* kept for compatibility */ >> info->bmversion[0] = 1; >> info->bmversion[1] = 0; >> info->bmversion[2] = 0; >> - sprintf(info->bmname, "%s", "gennvm"); >> + snprintf(info->bmname, sizeof(info->bmname), "%s", "gennvm"); >> i++; >> >> if (i > 31) { > > Hello Javier, > > Although the above changes look fine to me, have you considered to use strlcpy() > instead of snprintf() for these string copy operations? You're right. It is a better way of doing it. Thanks! > > Bart. Javier
diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c index c3340ef..bdbb333 100644 --- a/drivers/lightnvm/core.c +++ b/drivers/lightnvm/core.c @@ -272,7 +272,8 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create) goto err_disk; blk_queue_make_request(tqueue, tt->make_rq); - sprintf(tdisk->disk_name, "%s", create->tgtname); + snprintf(tdisk->disk_name, sizeof(tdisk->disk_name), "%s", + create->tgtname); tdisk->flags = GENHD_FL_EXT_DEVT; tdisk->major = 0; tdisk->first_minor = 0; @@ -1195,13 +1196,13 @@ static long nvm_ioctl_get_devices(struct file *file, void __user *arg) list_for_each_entry(dev, &nvm_devices, devices) { struct nvm_ioctl_device_info *info = &devices->info[i]; - sprintf(info->devname, "%s", dev->name); + snprintf(info->devname, sizeof(info->devname), "%s", dev->name); /* kept for compatibility */ info->bmversion[0] = 1; info->bmversion[1] = 0; info->bmversion[2] = 0; - sprintf(info->bmname, "%s", "gennvm"); + snprintf(info->bmname, sizeof(info->bmname), "%s", "gennvm"); i++; if (i > 31) {
Convert sprintf calls to snprintf in order to make possible buffer overflow more obvious. Signed-off-by: Javier González <javier@cnexlabs.com> --- drivers/lightnvm/core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)