Page MenuHomeFreeBSD

Fix off-by-one error in BERI virtio driver
ClosedPublic

Authored by gonzo on Jan 16 2019, 2:59 AM.

Details

Summary

The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds.As a fix use strncpy it appends \0 only if space allows and its behavior matches virtio spec:

When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is
written to the buffer. The identifier should be interpreted as an ascii string.
It is terminated with \0, unless it is exactly 20 bytes long.

See PR 202298

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

gonzo created this revision.Jan 16 2019, 2:59 AM
gonzo retitled this revision from Fix off-by-one error in BERI virtio driver The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds. As a fix use strncpy it appends \0 only if space allows and its behavior... to Fix off-by-one error in BERI virtio driver.Jan 16 2019, 3:03 AM
gonzo edited the summary of this revision. (Show Details)
br accepted this revision.Jan 21 2019, 11:26 AM
This revision is now accepted and ready to land.Jan 21 2019, 11:26 AM
This revision was automatically updated to reflect the committed changes.