Page MenuHomeFreeBSD

Fix off-by-one error in BERI virtio driver
ClosedPublic

Authored by gonzo on Jan 16 2019, 2:59 AM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 3 2024, 5:41 PM
Unknown Object (File)
Sep 6 2024, 2:03 AM
Unknown Object (File)
Sep 5 2024, 4:32 AM
Unknown Object (File)
Sep 4 2024, 6:51 PM
Unknown Object (File)
Sep 4 2024, 4:16 PM
Unknown Object (File)
Aug 23 2024, 6:11 PM
Unknown Object (File)
Aug 19 2024, 1:35 AM
Unknown Object (File)
Aug 17 2024, 8:09 AM
Subscribers

Details

Summary

The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds.As a fix use strncpy it appends \0 only if space allows and its behavior matches virtio spec:

When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is
written to the buffer. The identifier should be interpreted as an ascii string.
It is terminated with \0, unless it is exactly 20 bytes long.

See PR 202298

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

gonzo retitled this revision from Fix off-by-one error in BERI virtio driver The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds. As a fix use strncpy it appends \0 only if space allows and its behavior... to Fix off-by-one error in BERI virtio driver.Jan 16 2019, 3:03 AM
gonzo edited the summary of this revision. (Show Details)
This revision is now accepted and ready to land.Jan 21 2019, 11:26 AM
This revision was automatically updated to reflect the committed changes.