[PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
Hannes Reinecke
hare at suse.de
Sun Sep 5 23:59:03 PDT 2021
On 9/1/21 2:22 PM, Christoph Hellwig wrote:
> On Fri, Aug 27, 2021 at 06:26:36PM +0200, Christoph Hellwig wrote:
>> On Fri, Aug 27, 2021 at 11:29:26AM +0200, Hannes Reinecke wrote:
>>> The serial number is copied into the buffer via memcpy_and_pad()
>>> with the length NVMET_SN_MAX_SIZE. So when printing out we also
>>> need to take just that length as anything beyond that will be
>>> uninitialized.
>>>
>>> Signed-off-by: Hannes Reinecke <hare at suse.de>
>>
>> The normal way to print a potentially unterminated fixed length string
>> would be something like:
>
> Does this version still look ok to you?
>
>>
>> diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
>> index f74485c705ff2..d784f3c200b4c 100644
>> --- a/drivers/nvme/target/configfs.c
>> +++ b/drivers/nvme/target/configfs.c
>> @@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
>> {
>> struct nvmet_subsys *subsys = to_subsys(item);
>>
>> - return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
>> + return snprintf(page, PAGE_SIZE, "%*s\n",
>> + NVMET_SN_MAX_SIZE, subsys->serial);
>> }
>>
>> static ssize_t
> ---end quoted text---
>
Yes, it does; will be sending an updated patch.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer
More information about the Linux-nvme
mailing list