Always null-terminate ccb_pathinq.(sim_vid|hba_vid|dev_name) (part 1)
ClosedPublic
Actions

Authored by asomers on Jan 4 2017, 12:10 AM.

Details

Reviewers

ken
slm
sepherosa_gmail.com
imp

Summary

The sim_vid, hba_vid, and dev_name fields of struct ccb_pathinq are
fixed-length strings. AFAICT the only place they're read is in
sbin/camcontrol/camcontrol.c, which assumes they'll be null-terminated.
However, the kernel doesn't null-terminate them. A bunch of copy-pasted code
uses strncpy to write them, and doesn't guarantee null-termination. For at
least 4 drivers (mpr, mps, ciss, and hyperv), the hba_vid field actually
overflows. You can see the result by doing "camcontrol negotiate da0 -v".

This change null-terminates those fields everywhere they're set in the
kernel. It also shortens a few strings to ensure they'll fit within the
16-character field.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 6554
Build 6776: arc lint + arc unit

Event Timeline

asomers updated this revision to Diff 23587.Jan 4 2017, 12:10 AM

asomers retitled this revision from to Always null-terminate ccb_pathinq.(sim_vid|hba_vid|dev_name) (part 1).

asomers updated this object.

asomers edited the test plan for this revision. (Show Details)

asomers added reviewers: ken, slm.

Herald added a subscriber: imp. · View Herald TranscriptJan 4 2017, 12:10 AM

This change is largely a no-op in terms of effect.
However, it eliminates dozens of false-positive uses of strncpy which people get wrong all the time and ensure that if cam_sim_name() is super-duper long we do something sensible (or at least fail-safe better than today's missing NUL). It's also a tiny performance win, but I doubt anybody can measure the effects of saving a few dozen cycles on boot.

This revision is now accepted and ready to land.Jan 4 2017, 2:17 AM

asomers added a reviewer: sepherosa_gmail.com.Jan 4 2017, 2:48 AM

Fixed by r311305