* [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated
@ 2017-09-22 13:07 Michal Jastrzebski
2017-10-02 13:50 ` Jastrzebski, MichalX K
2017-10-12 6:44 ` [dpdk-dev] [PATCH v2] " Jacek Piasecki
0 siblings, 2 replies; 15+ messages in thread
From: Michal Jastrzebski @ 2017-09-22 13:07 UTC (permalink / raw)
To: yliu, maxime.coquelin
Cc: dev, deepak.k.jain, Jacek Piasecki, changpeng.liu, stable
From: Jacek Piasecki <jacekx.piasecki@intel.com>
Fix size of buffer in strcpy. There was possible to get
not terminated string after copy operation.
Coverity issue: 158631
Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app")
Cc: changpeng.liu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com>
---
examples/vhost_scsi/scsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c
index 54d3104..de9639a 100644
--- a/examples/vhost_scsi/scsi.c
+++ b/examples/vhost_scsi/scsi.c
@@ -307,7 +307,8 @@
strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8);
/* PRODUCT IDENTIFICATION */
- strncpy((char *)inqdata->product_id, bdev->product_name, 16);
+ strncpy((char *)inqdata->product_id, bdev->product_name,
+ ARRAY_SIZE(inqdata->product_id) - 1);
/* PRODUCT REVISION LEVEL */
strncpy((char *)inqdata->product_rev, "0001", 4);
--
1.9.1
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated 2017-09-22 13:07 [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated Michal Jastrzebski @ 2017-10-02 13:50 ` Jastrzebski, MichalX K 2017-10-02 15:07 ` Maxime Coquelin 2017-10-12 6:44 ` [dpdk-dev] [PATCH v2] " Jacek Piasecki 1 sibling, 1 reply; 15+ messages in thread From: Jastrzebski, MichalX K @ 2017-10-02 13:50 UTC (permalink / raw) To: Jastrzebski, MichalX K, yliu, maxime.coquelin Cc: dev, Jain, Deepak K, Piasecki, JacekX, Liu, Changpeng, stable > -----Original Message----- > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Michal Jastrzebski > Sent: Friday, September 22, 2017 3:08 PM > To: yliu@fridaylinux.org; maxime.coquelin@redhat.com > Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, > JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng > <changpeng.liu@intel.com>; stable@dpdk.org > Subject: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated > > From: Jacek Piasecki <jacekx.piasecki@intel.com> > > Fix size of buffer in strcpy. There was possible to get > not terminated string after copy operation. > > Coverity issue: 158631 > Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") > Cc: changpeng.liu@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> > --- > examples/vhost_scsi/scsi.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c > index 54d3104..de9639a 100644 > --- a/examples/vhost_scsi/scsi.c > +++ b/examples/vhost_scsi/scsi.c > @@ -307,7 +307,8 @@ > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); > > /* PRODUCT IDENTIFICATION */ > - strncpy((char *)inqdata->product_id, bdev->product_name, > 16); > + strncpy((char *)inqdata->product_id, bdev->product_name, > + ARRAY_SIZE(inqdata->product_id) - 1); > > /* PRODUCT REVISION LEVEL */ > strncpy((char *)inqdata->product_rev, "0001", 4); > -- > 1.9.1 Hi Yu / Maxime, I would like to ask for a feedback regarding proposed fix. If everything is ok with it, please send acked-by. Best regards Michal. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated 2017-10-02 13:50 ` Jastrzebski, MichalX K @ 2017-10-02 15:07 ` Maxime Coquelin 2017-10-05 12:35 ` Piasecki, JacekX 0 siblings, 1 reply; 15+ messages in thread From: Maxime Coquelin @ 2017-10-02 15:07 UTC (permalink / raw) To: Jastrzebski, MichalX K, yliu Cc: dev, Jain, Deepak K, Piasecki, JacekX, Liu, Changpeng, stable On 10/02/2017 03:50 PM, Jastrzebski, MichalX K wrote: >> -----Original Message----- >> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Michal Jastrzebski >> Sent: Friday, September 22, 2017 3:08 PM >> To: yliu@fridaylinux.org; maxime.coquelin@redhat.com >> Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, >> JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng >> <changpeng.liu@intel.com>; stable@dpdk.org >> Subject: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated >> >> From: Jacek Piasecki <jacekx.piasecki@intel.com> >> >> Fix size of buffer in strcpy. There was possible to get >> not terminated string after copy operation. >> >> Coverity issue: 158631 >> Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") >> Cc: changpeng.liu@intel.com >> Cc: stable@dpdk.org >> >> Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> >> --- >> examples/vhost_scsi/scsi.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c >> index 54d3104..de9639a 100644 >> --- a/examples/vhost_scsi/scsi.c >> +++ b/examples/vhost_scsi/scsi.c >> @@ -307,7 +307,8 @@ >> strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); >> >> /* PRODUCT IDENTIFICATION */ >> - strncpy((char *)inqdata->product_id, bdev->product_name, >> 16); >> + strncpy((char *)inqdata->product_id, bdev->product_name, >> + ARRAY_SIZE(inqdata->product_id) - 1); Does it assume that product_id is memzero'ed before? IIUC strncpy manpage, it wouldn't protect against non-null terminated strings if it is not the case: " A simple implementation of strncpy() might be: char * strncpy(char *dest, const char *src, size_t n) { size_t i; for (i = 0; i < n && src[i] != '\0'; i++) dest[i] = src[i]; for ( ; i < n; i++) dest[i] = '\0'; return dest; } " Cheers, Maxime >> >> /* PRODUCT REVISION LEVEL */ >> strncpy((char *)inqdata->product_rev, "0001", 4); >> -- >> 1.9.1 > > Hi Yu / Maxime, > I would like to ask for a feedback regarding proposed fix. > If everything is ok with it, please send acked-by. > > Best regards > Michal. > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated 2017-10-02 15:07 ` Maxime Coquelin @ 2017-10-05 12:35 ` Piasecki, JacekX 2017-10-05 12:42 ` Maxime Coquelin 0 siblings, 1 reply; 15+ messages in thread From: Piasecki, JacekX @ 2017-10-05 12:35 UTC (permalink / raw) To: Maxime Coquelin, Jastrzebski, MichalX K, yliu Cc: dev, Jain, Deepak K, Liu, Changpeng -----Original Message----- From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com] Sent: Monday, 2 October, 2017 17:07 To: Jastrzebski, MichalX K <michalx.k.jastrzebski@intel.com>; yliu@fridaylinux.org Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng <changpeng.liu@intel.com>; stable@dpdk.org Subject: Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated On 10/02/2017 03:50 PM, Jastrzebski, MichalX K wrote: >> -----Original Message----- >> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Michal >> Jastrzebski >> Sent: Friday, September 22, 2017 3:08 PM >> To: yliu@fridaylinux.org; maxime.coquelin@redhat.com >> Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, >> JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng >> <changpeng.liu@intel.com>; stable@dpdk.org >> Subject: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not >> terminated >> >> From: Jacek Piasecki <jacekx.piasecki@intel.com> >> >> Fix size of buffer in strcpy. There was possible to get not >> terminated string after copy operation. >> >> Coverity issue: 158631 >> Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample >> app") >> Cc: changpeng.liu@intel.com >> Cc: stable@dpdk.org >> >> Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> >> --- >> examples/vhost_scsi/scsi.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c >> index 54d3104..de9639a 100644 >> --- a/examples/vhost_scsi/scsi.c >> +++ b/examples/vhost_scsi/scsi.c >> @@ -307,7 +307,8 @@ >> strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); >> >> /* PRODUCT IDENTIFICATION */ >> - strncpy((char *)inqdata->product_id, bdev->product_name, >> 16); >> + strncpy((char *)inqdata->product_id, bdev->product_name, >> + ARRAY_SIZE(inqdata->product_id) - 1); Does it assume that product_id is memzero'ed before? IIUC strncpy manpage, it wouldn't protect against non-null terminated strings if it is not the case: Yes, I assumed that this area is zeroed before strncpy. Earlier there is a casting from *task to *inqdata (*task is zmalloced). To be sure that the destination area is clear I propose to add: memset(inqdata->product_id, 0, ARRAY_SIZE(inqdata->product_id)); before strncpy. Would that be OK? Regards, Jacek >> >> /* PRODUCT REVISION LEVEL */ >> strncpy((char *)inqdata->product_rev, "0001", 4); >> -- >> 1.9.1 > > Hi Yu / Maxime, > I would like to ask for a feedback regarding proposed fix. > If everything is ok with it, please send acked-by. > > Best regards > Michal. > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated 2017-10-05 12:35 ` Piasecki, JacekX @ 2017-10-05 12:42 ` Maxime Coquelin 2017-10-05 13:01 ` Bruce Richardson 0 siblings, 1 reply; 15+ messages in thread From: Maxime Coquelin @ 2017-10-05 12:42 UTC (permalink / raw) To: Piasecki, JacekX, Jastrzebski, MichalX K, yliu Cc: dev, Jain, Deepak K, Liu, Changpeng On 10/05/2017 02:35 PM, Piasecki, JacekX wrote: > -----Original Message----- > From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com] > Sent: Monday, 2 October, 2017 17:07 > To: Jastrzebski, MichalX K <michalx.k.jastrzebski@intel.com>; yliu@fridaylinux.org > Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng <changpeng.liu@intel.com>; stable@dpdk.org > Subject: Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated > > > > On 10/02/2017 03:50 PM, Jastrzebski, MichalX K wrote: >>> -----Original Message----- >>> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Michal >>> Jastrzebski >>> Sent: Friday, September 22, 2017 3:08 PM >>> To: yliu@fridaylinux.org; maxime.coquelin@redhat.com >>> Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, >>> JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng >>> <changpeng.liu@intel.com>; stable@dpdk.org >>> Subject: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not >>> terminated >>> >>> From: Jacek Piasecki <jacekx.piasecki@intel.com> >>> >>> Fix size of buffer in strcpy. There was possible to get not >>> terminated string after copy operation. >>> >>> Coverity issue: 158631 >>> Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample >>> app") >>> Cc: changpeng.liu@intel.com >>> Cc: stable@dpdk.org >>> >>> Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> >>> --- >>> examples/vhost_scsi/scsi.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c >>> index 54d3104..de9639a 100644 >>> --- a/examples/vhost_scsi/scsi.c >>> +++ b/examples/vhost_scsi/scsi.c >>> @@ -307,7 +307,8 @@ >>> strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); >>> >>> /* PRODUCT IDENTIFICATION */ >>> - strncpy((char *)inqdata->product_id, bdev->product_name, >>> 16); >>> + strncpy((char *)inqdata->product_id, bdev->product_name, >>> + ARRAY_SIZE(inqdata->product_id) - 1); > > Does it assume that product_id is memzero'ed before? > IIUC strncpy manpage, it wouldn't protect against non-null terminated strings if it is not the case: > > Yes, I assumed that this area is zeroed before strncpy. Earlier there is a casting from *task to *inqdata (*task is zmalloced). Ok. I think the assumption is dangerous. > To be sure that the destination area is clear I propose to add: > memset(inqdata->product_id, 0, ARRAY_SIZE(inqdata->product_id)); > before strncpy. Would that be OK? Or call strncpy with ARRAY_SIZE(inqdata->product_id) as max length, and then do inqdata->product_id[ARRAY_SIZE(inqdata->product_id) - 1] = '\0'; Regards, Maxime > > Regards, > Jacek > >>> >>> /* PRODUCT REVISION LEVEL */ >>> strncpy((char *)inqdata->product_rev, "0001", 4); >>> -- >>> 1.9.1 >> >> Hi Yu / Maxime, >> I would like to ask for a feedback regarding proposed fix. >> If everything is ok with it, please send acked-by. >> >> Best regards >> Michal. >> ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated 2017-10-05 12:42 ` Maxime Coquelin @ 2017-10-05 13:01 ` Bruce Richardson 2017-10-05 13:02 ` Maxime Coquelin 0 siblings, 1 reply; 15+ messages in thread From: Bruce Richardson @ 2017-10-05 13:01 UTC (permalink / raw) To: Maxime Coquelin Cc: Piasecki, JacekX, Jastrzebski, MichalX K, yliu, dev, Jain, Deepak K, Liu, Changpeng On Thu, Oct 05, 2017 at 02:42:24PM +0200, Maxime Coquelin wrote: > > > On 10/05/2017 02:35 PM, Piasecki, JacekX wrote: > > -----Original Message----- > > From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com] > > Sent: Monday, 2 October, 2017 17:07 > > To: Jastrzebski, MichalX K <michalx.k.jastrzebski@intel.com>; yliu@fridaylinux.org > > Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng <changpeng.liu@intel.com>; stable@dpdk.org > > Subject: Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated > > > > > > > > On 10/02/2017 03:50 PM, Jastrzebski, MichalX K wrote: > > > > -----Original Message----- > > > > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Michal > > > > Jastrzebski > > > > Sent: Friday, September 22, 2017 3:08 PM > > > > To: yliu@fridaylinux.org; maxime.coquelin@redhat.com > > > > Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, > > > > JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng > > > > <changpeng.liu@intel.com>; stable@dpdk.org > > > > Subject: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not > > > > terminated > > > > > > > > From: Jacek Piasecki <jacekx.piasecki@intel.com> > > > > > > > > Fix size of buffer in strcpy. There was possible to get not > > > > terminated string after copy operation. > > > > > > > > Coverity issue: 158631 > > > > Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample > > > > app") > > > > Cc: changpeng.liu@intel.com > > > > Cc: stable@dpdk.org > > > > > > > > Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> > > > > --- > > > > examples/vhost_scsi/scsi.c | 3 ++- > > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c > > > > index 54d3104..de9639a 100644 > > > > --- a/examples/vhost_scsi/scsi.c > > > > +++ b/examples/vhost_scsi/scsi.c > > > > @@ -307,7 +307,8 @@ > > > > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); > > > > > > > > /* PRODUCT IDENTIFICATION */ > > > > - strncpy((char *)inqdata->product_id, bdev->product_name, > > > > 16); > > > > + strncpy((char *)inqdata->product_id, bdev->product_name, > > > > + ARRAY_SIZE(inqdata->product_id) - 1); > > > > Does it assume that product_id is memzero'ed before? > > IIUC strncpy manpage, it wouldn't protect against non-null terminated strings if it is not the case: > > > > Yes, I assumed that this area is zeroed before strncpy. Earlier there is a casting from *task to *inqdata (*task is zmalloced). > Ok. I think the assumption is dangerous. > > > To be sure that the destination area is clear I propose to add: > > memset(inqdata->product_id, 0, ARRAY_SIZE(inqdata->product_id)); > > before strncpy. Would that be OK? > > Or call strncpy with ARRAY_SIZE(inqdata->product_id) as max length, > and then do > inqdata->product_id[ARRAY_SIZE(inqdata->product_id) - 1] = '\0'; > > Regards, > Maxime > > Or use snprintf instead of strncpy, as we do in many places in DPDK. Still only one line of code, with nice null-termination, and truncation semantics. /Bruce ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated 2017-10-05 13:01 ` Bruce Richardson @ 2017-10-05 13:02 ` Maxime Coquelin 0 siblings, 0 replies; 15+ messages in thread From: Maxime Coquelin @ 2017-10-05 13:02 UTC (permalink / raw) To: Bruce Richardson Cc: Piasecki, JacekX, Jastrzebski, MichalX K, yliu, dev, Jain, Deepak K, Liu, Changpeng On 10/05/2017 03:01 PM, Bruce Richardson wrote: > On Thu, Oct 05, 2017 at 02:42:24PM +0200, Maxime Coquelin wrote: >> >> >> On 10/05/2017 02:35 PM, Piasecki, JacekX wrote: >>> -----Original Message----- >>> From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com] >>> Sent: Monday, 2 October, 2017 17:07 >>> To: Jastrzebski, MichalX K <michalx.k.jastrzebski@intel.com>; yliu@fridaylinux.org >>> Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng <changpeng.liu@intel.com>; stable@dpdk.org >>> Subject: Re: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated >>> >>> >>> >>> On 10/02/2017 03:50 PM, Jastrzebski, MichalX K wrote: >>>>> -----Original Message----- >>>>> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Michal >>>>> Jastrzebski >>>>> Sent: Friday, September 22, 2017 3:08 PM >>>>> To: yliu@fridaylinux.org; maxime.coquelin@redhat.com >>>>> Cc: dev@dpdk.org; Jain, Deepak K <deepak.k.jain@intel.com>; Piasecki, >>>>> JacekX <jacekx.piasecki@intel.com>; Liu, Changpeng >>>>> <changpeng.liu@intel.com>; stable@dpdk.org >>>>> Subject: [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not >>>>> terminated >>>>> >>>>> From: Jacek Piasecki <jacekx.piasecki@intel.com> >>>>> >>>>> Fix size of buffer in strcpy. There was possible to get not >>>>> terminated string after copy operation. >>>>> >>>>> Coverity issue: 158631 >>>>> Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample >>>>> app") >>>>> Cc: changpeng.liu@intel.com >>>>> Cc: stable@dpdk.org >>>>> >>>>> Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> >>>>> --- >>>>> examples/vhost_scsi/scsi.c | 3 ++- >>>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c >>>>> index 54d3104..de9639a 100644 >>>>> --- a/examples/vhost_scsi/scsi.c >>>>> +++ b/examples/vhost_scsi/scsi.c >>>>> @@ -307,7 +307,8 @@ >>>>> strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); >>>>> >>>>> /* PRODUCT IDENTIFICATION */ >>>>> - strncpy((char *)inqdata->product_id, bdev->product_name, >>>>> 16); >>>>> + strncpy((char *)inqdata->product_id, bdev->product_name, >>>>> + ARRAY_SIZE(inqdata->product_id) - 1); >>> >>> Does it assume that product_id is memzero'ed before? >>> IIUC strncpy manpage, it wouldn't protect against non-null terminated strings if it is not the case: >>> >>> Yes, I assumed that this area is zeroed before strncpy. Earlier there is a casting from *task to *inqdata (*task is zmalloced). >> Ok. I think the assumption is dangerous. >> >>> To be sure that the destination area is clear I propose to add: >>> memset(inqdata->product_id, 0, ARRAY_SIZE(inqdata->product_id)); >>> before strncpy. Would that be OK? >> >> Or call strncpy with ARRAY_SIZE(inqdata->product_id) as max length, >> and then do >> inqdata->product_id[ARRAY_SIZE(inqdata->product_id) - 1] = '\0'; >> >> Regards, >> Maxime >>> > Or use snprintf instead of strncpy, as we do in many places in DPDK. > Still only one line of code, with nice null-termination, and truncation > semantics. +1 > /Bruce > ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v2] examples/vhost_scsi: fix buffer not terminated 2017-09-22 13:07 [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated Michal Jastrzebski 2017-10-02 13:50 ` Jastrzebski, MichalX K @ 2017-10-12 6:44 ` Jacek Piasecki 2017-10-12 11:09 ` Maxime Coquelin 2017-10-12 11:34 ` [dpdk-dev] [PATCH v3] " Jacek Piasecki 1 sibling, 2 replies; 15+ messages in thread From: Jacek Piasecki @ 2017-10-12 6:44 UTC (permalink / raw) To: dev Cc: maxime.coquelin, changpeng.liu, deepak.k.jain, michalx.k.jastrzebski, Jacek Piasecki, stable Use snprintf instead strncpy to get safe null string termination. There was possible to get not terminated string after strncpy operation. Coverity issue: 158631 Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") Cc: changpeng.liu@intel.com Cc: stable@dpdk.org Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> --- v2: * use snprintf instead strncpy examples/vhost_scsi/scsi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c index 54d3104..c0f3187 100644 --- a/examples/vhost_scsi/scsi.c +++ b/examples/vhost_scsi/scsi.c @@ -307,7 +307,8 @@ strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); /* PRODUCT IDENTIFICATION */ - strncpy((char *)inqdata->product_id, bdev->product_name, 16); + snprintf((char *)inqdata->product_id, + ARRAY_SIZE(inqdata->product_id), "%s", bdev->product_name); /* PRODUCT REVISION LEVEL */ strncpy((char *)inqdata->product_rev, "0001", 4); -- 1.9.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v2] examples/vhost_scsi: fix buffer not terminated 2017-10-12 6:44 ` [dpdk-dev] [PATCH v2] " Jacek Piasecki @ 2017-10-12 11:09 ` Maxime Coquelin 2017-10-12 11:34 ` [dpdk-dev] [PATCH v3] " Jacek Piasecki 1 sibling, 0 replies; 15+ messages in thread From: Maxime Coquelin @ 2017-10-12 11:09 UTC (permalink / raw) To: Jacek Piasecki, dev Cc: changpeng.liu, deepak.k.jain, michalx.k.jastrzebski, stable On 10/12/2017 08:44 AM, Jacek Piasecki wrote: > Use snprintf instead strncpy to get safe null string termination. > There was possible to get not terminated string after strncpy operation. > > Coverity issue: 158631 > Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") > Cc: changpeng.liu@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> > --- > v2: > * use snprintf instead strncpy > > examples/vhost_scsi/scsi.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c > index 54d3104..c0f3187 100644 > --- a/examples/vhost_scsi/scsi.c > +++ b/examples/vhost_scsi/scsi.c > @@ -307,7 +307,8 @@ > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); > > /* PRODUCT IDENTIFICATION */ > - strncpy((char *)inqdata->product_id, bdev->product_name, 16); > + snprintf((char *)inqdata->product_id, > + ARRAY_SIZE(inqdata->product_id), "%s", bdev->product_name); > > /* PRODUCT REVISION LEVEL */ > strncpy((char *)inqdata->product_rev, "0001", 4); > Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com> ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v3] examples/vhost_scsi: fix buffer not terminated 2017-10-12 6:44 ` [dpdk-dev] [PATCH v2] " Jacek Piasecki 2017-10-12 11:09 ` Maxime Coquelin @ 2017-10-12 11:34 ` Jacek Piasecki 2017-10-13 7:12 ` Maxime Coquelin 2017-10-25 10:07 ` [dpdk-dev] [PATCH v4] " Jacek Piasecki 1 sibling, 2 replies; 15+ messages in thread From: Jacek Piasecki @ 2017-10-12 11:34 UTC (permalink / raw) To: dev Cc: maxime.coquelin, michalx.k.jastrzebski, Jacek Piasecki, changpeng.liu, stable Use snprintf instead strncpy to get safe null string termination. There was possible to get not terminated string after strncpy operation. Coverity issue: 158631 Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") Cc: changpeng.liu@intel.com Cc: stable@dpdk.org Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> --- examples/vhost_scsi/scsi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c index 54d3104..2de3110 100644 --- a/examples/vhost_scsi/scsi.c +++ b/examples/vhost_scsi/scsi.c @@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev, strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); /* PRODUCT IDENTIFICATION */ - strncpy((char *)inqdata->product_id, bdev->product_name, 16); + snprintf((char *)inqdata->product_id, + ARRAY_SIZE(inqdata->product_id), "%s", + bdev->product_name); /* PRODUCT REVISION LEVEL */ strncpy((char *)inqdata->product_rev, "0001", 4); -- 2.7.4 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3] examples/vhost_scsi: fix buffer not terminated 2017-10-12 11:34 ` [dpdk-dev] [PATCH v3] " Jacek Piasecki @ 2017-10-13 7:12 ` Maxime Coquelin 2017-10-17 13:26 ` Yuanhan Liu 2017-10-25 10:07 ` [dpdk-dev] [PATCH v4] " Jacek Piasecki 1 sibling, 1 reply; 15+ messages in thread From: Maxime Coquelin @ 2017-10-13 7:12 UTC (permalink / raw) To: Jacek Piasecki, dev; +Cc: michalx.k.jastrzebski, changpeng.liu, stable On 10/12/2017 01:34 PM, Jacek Piasecki wrote: > Use snprintf instead strncpy to get safe null string termination. > There was possible to get not terminated string after strncpy operation. > > Coverity issue: 158631 > Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") > Cc: changpeng.liu@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> > --- > examples/vhost_scsi/scsi.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c > index 54d3104..2de3110 100644 > --- a/examples/vhost_scsi/scsi.c > +++ b/examples/vhost_scsi/scsi.c > @@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev, > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); > > /* PRODUCT IDENTIFICATION */ > - strncpy((char *)inqdata->product_id, bdev->product_name, 16); > + snprintf((char *)inqdata->product_id, > + ARRAY_SIZE(inqdata->product_id), "%s", > + bdev->product_name); > > /* PRODUCT REVISION LEVEL */ > strncpy((char *)inqdata->product_rev, "0001", 4); > Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com> Thanks, Maxime ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3] examples/vhost_scsi: fix buffer not terminated 2017-10-13 7:12 ` Maxime Coquelin @ 2017-10-17 13:26 ` Yuanhan Liu 2017-10-24 16:22 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon 0 siblings, 1 reply; 15+ messages in thread From: Yuanhan Liu @ 2017-10-17 13:26 UTC (permalink / raw) To: Maxime Coquelin Cc: Jacek Piasecki, dev, michalx.k.jastrzebski, changpeng.liu, stable On Fri, Oct 13, 2017 at 09:12:33AM +0200, Maxime Coquelin wrote: > > > On 10/12/2017 01:34 PM, Jacek Piasecki wrote: > >Use snprintf instead strncpy to get safe null string termination. > >There was possible to get not terminated string after strncpy operation. > > > >Coverity issue: 158631 > >Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") > >Cc: changpeng.liu@intel.com > >Cc: stable@dpdk.org > > > >Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> > >--- > > examples/vhost_scsi/scsi.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > >diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c > >index 54d3104..2de3110 100644 > >--- a/examples/vhost_scsi/scsi.c > >+++ b/examples/vhost_scsi/scsi.c > >@@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev, > > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); > > /* PRODUCT IDENTIFICATION */ > >- strncpy((char *)inqdata->product_id, bdev->product_name, 16); > >+ snprintf((char *)inqdata->product_id, > >+ ARRAY_SIZE(inqdata->product_id), "%s", > >+ bdev->product_name); > > /* PRODUCT REVISION LEVEL */ > > strncpy((char *)inqdata->product_rev, "0001", 4); > > > > Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com> Firstly, sorry for being so late response. And, Applied to dpdk-next-virtio. Thanks! --yliu ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [dpdk-stable] [PATCH v3] examples/vhost_scsi: fix buffer not terminated 2017-10-17 13:26 ` Yuanhan Liu @ 2017-10-24 16:22 ` Thomas Monjalon 0 siblings, 0 replies; 15+ messages in thread From: Thomas Monjalon @ 2017-10-24 16:22 UTC (permalink / raw) To: Yuanhan Liu, Maxime Coquelin, Jacek Piasecki Cc: stable, dev, michalx.k.jastrzebski, changpeng.liu 17/10/2017 15:26, Yuanhan Liu: > On Fri, Oct 13, 2017 at 09:12:33AM +0200, Maxime Coquelin wrote: > > On 10/12/2017 01:34 PM, Jacek Piasecki wrote: > > >--- a/examples/vhost_scsi/scsi.c > > >+++ b/examples/vhost_scsi/scsi.c > > >@@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev, > > > strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); > > > /* PRODUCT IDENTIFICATION */ > > >- strncpy((char *)inqdata->product_id, bdev->product_name, 16); > > >+ snprintf((char *)inqdata->product_id, > > >+ ARRAY_SIZE(inqdata->product_id), "%s", > > >+ bdev->product_name); > > > /* PRODUCT REVISION LEVEL */ > > > strncpy((char *)inqdata->product_rev, "0001", 4); > > > > Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com> > > Firstly, sorry for being so late response. And, > > Applied to dpdk-next-virtio. Thanks! I don't know where this ARRAY_SIZE comes from. It does not compile. In DPDK you can use RTE_DIM. This patch is removed from the next-virtio pull queue. ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v4] examples/vhost_scsi: fix buffer not terminated 2017-10-12 11:34 ` [dpdk-dev] [PATCH v3] " Jacek Piasecki 2017-10-13 7:12 ` Maxime Coquelin @ 2017-10-25 10:07 ` Jacek Piasecki 2017-10-25 10:18 ` Thomas Monjalon 1 sibling, 1 reply; 15+ messages in thread From: Jacek Piasecki @ 2017-10-25 10:07 UTC (permalink / raw) To: dev; +Cc: maxime.coquelin, thomas, yliu, Jacek Piasecki, changpeng.liu, stable Use snprintf instead strncpy to get safe null string termination. There was possible to get not terminated string after strncpy operation. Coverity issue: 158631 Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") Cc: changpeng.liu@intel.com Cc: stable@dpdk.org Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com> --- v4: RTE_DIM instead ARRAY_SIZE v3: checkpatch fix v2: snprintf instead strncpy --- examples/vhost_scsi/scsi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c index 54d3104..fd430ec 100644 --- a/examples/vhost_scsi/scsi.c +++ b/examples/vhost_scsi/scsi.c @@ -307,7 +307,9 @@ vhost_bdev_scsi_inquiry_command(struct vhost_block_dev *bdev, strncpy((char *)inqdata->t10_vendor_id, "INTEL", 8); /* PRODUCT IDENTIFICATION */ - strncpy((char *)inqdata->product_id, bdev->product_name, 16); + snprintf((char *)inqdata->product_id, + RTE_DIM(inqdata->product_id), "%s", + bdev->product_name); /* PRODUCT REVISION LEVEL */ strncpy((char *)inqdata->product_rev, "0001", 4); -- 2.7.4 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v4] examples/vhost_scsi: fix buffer not terminated 2017-10-25 10:07 ` [dpdk-dev] [PATCH v4] " Jacek Piasecki @ 2017-10-25 10:18 ` Thomas Monjalon 0 siblings, 0 replies; 15+ messages in thread From: Thomas Monjalon @ 2017-10-25 10:18 UTC (permalink / raw) To: Jacek Piasecki; +Cc: dev, maxime.coquelin, yliu, changpeng.liu, stable 25/10/2017 12:07, Jacek Piasecki: > Use snprintf instead strncpy to get safe null string termination. > There was possible to get not terminated string after strncpy operation. > > Coverity issue: 158631 > Fixes: db75c7af19bb ("examples/vhost_scsi: introduce a new sample app") > Cc: changpeng.liu@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Jacek Piasecki <jacekx.piasecki@intel.com> > Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com> > --- > v4: RTE_DIM instead ARRAY_SIZE > v3: checkpatch fix > v2: snprintf instead strncpy Applied, thanks ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2017-10-25 10:19 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-09-22 13:07 [dpdk-dev] [PATCH] examples/vhost_scsi: fix buffer not terminated Michal Jastrzebski 2017-10-02 13:50 ` Jastrzebski, MichalX K 2017-10-02 15:07 ` Maxime Coquelin 2017-10-05 12:35 ` Piasecki, JacekX 2017-10-05 12:42 ` Maxime Coquelin 2017-10-05 13:01 ` Bruce Richardson 2017-10-05 13:02 ` Maxime Coquelin 2017-10-12 6:44 ` [dpdk-dev] [PATCH v2] " Jacek Piasecki 2017-10-12 11:09 ` Maxime Coquelin 2017-10-12 11:34 ` [dpdk-dev] [PATCH v3] " Jacek Piasecki 2017-10-13 7:12 ` Maxime Coquelin 2017-10-17 13:26 ` Yuanhan Liu 2017-10-24 16:22 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon 2017-10-25 10:07 ` [dpdk-dev] [PATCH v4] " Jacek Piasecki 2017-10-25 10:18 ` Thomas Monjalon
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).