Fix off-by-one error in BERI virtio driver
ClosedPublic
Actions

Authored by gonzo on Jan 16 2019, 2:59 AM.

Details

Reviewers

Commits

rS345462: MFC r343998:
rS343998: Fix off-by-one error in BERI virtio driver

Summary

The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds.As a fix use strncpy it appends \0 only if space allows and its behavior matches virtio spec:

When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is
written to the buffer. The identifier should be interpreted as an ascii string.
It is terminated with \0, unless it is exactly 20 bytes long.

See PR 202298

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 21977
Build 21213: arc lint + arc unit

Event Timeline

gonzo created this revision.Jan 16 2019, 2:59 AM

Herald added a subscriber: imp. · View Herald TranscriptJan 16 2019, 2:59 AM

Harbormaster completed remote builds in B21977: Diff 52880.Jan 16 2019, 2:59 AM

gonzo retitled this revision from Fix off-by-one error in BERI virtio driver The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero, so there is one byte written out of array bounds. As a fix use strncpy it appends \0 only if space allows and its behavior... to Fix off-by-one error in BERI virtio driver.Jan 16 2019, 3:03 AM

gonzo edited the summary of this revision. (Show Details)

br accepted this revision.Jan 21 2019, 11:26 AM

This revision is now accepted and ready to land.Jan 21 2019, 11:26 AM

Closed by commit rS343998: Fix off-by-one error in BERI virtio driver (authored by gonzo). · Explain WhyFeb 11 2019, 7:42 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

sys/

dev/

beri/

virtio/

virtio_block.c

4 lines

Diff 52880

View Options

sys/dev/beri/virtio/virtio_block.c

Fix off-by-one error in BERI virtio driverClosedPublicActions