From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <changpeng.liu@intel.com>
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20])
 by dpdk.org (Postfix) with ESMTP id A49588E5B
 for <dev@dpdk.org>; Fri, 18 May 2018 01:22:58 +0200 (CEST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga007.fm.intel.com ([10.253.24.52])
 by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 17 May 2018 16:22:58 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,412,1520924400"; d="scan'208";a="40250397"
Received: from fedora.sh.intel.com ([10.67.114.176])
 by fmsmga007.fm.intel.com with ESMTP; 17 May 2018 16:22:57 -0700
From: Changpeng Liu <changpeng.liu@intel.com>
To: changpeng.liu@intel.com,
	dev@dpdk.org
Date: Fri, 18 May 2018 07:32:12 +0800
Message-Id: <1526599932-13083-2-git-send-email-changpeng.liu@intel.com>
X-Mailer: git-send-email 1.9.3
In-Reply-To: <1526599932-13083-1-git-send-email-changpeng.liu@intel.com>
References: <1526599932-13083-1-git-send-email-changpeng.liu@intel.com>
Subject: [dpdk-dev] [PATCH 2/2] examples/vhost_scsi: fix potential buffer
	overrun with safe copy API
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 23:23:00 -0000

Signed-off-by: Changpeng Liu <changpeng.liu@intel.com>
---
 examples/vhost_scsi/scsi.c       | 23 ++++++++++++-----------
 examples/vhost_scsi/vhost_scsi.c |  5 +++--
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/examples/vhost_scsi/scsi.c b/examples/vhost_scsi/scsi.c
index 0c2fa3e..1572098 100644
--- a/examples/vhost_scsi/scsi.c
+++ b/examples/vhost_scsi/scsi.c
@@ -182,8 +182,8 @@
 			break;
 		case SPC_VPD_UNIT_SERIAL_NUMBER:
 			hlen = 4;
-			strlcpy((char *)vpage->params, bdev->name,
-					sizeof(vpage->params));
+			vhost_strcpy_pad((char *)vpage->params, bdev->name,
+					sizeof(vpage->params), ' ');
 			vpage->alloc_len = rte_cpu_to_be_16(32);
 			break;
 		case SPC_VPD_DEVICE_IDENTIFICATION:
@@ -217,10 +217,11 @@
 			desig->piv = 1;
 			desig->reserved1 = 0;
 			desig->len = 8 + 16 + 32;
-			strlcpy((char *)desig->desig, "INTEL", 8);
+			vhost_strcpy_pad((char *)desig->desig, "INTEL", 8, ' ');
 			vhost_strcpy_pad((char *)&desig->desig[8],
 					 bdev->product_name, 16, ' ');
-			strlcpy((char *)&desig->desig[24], bdev->name, 32);
+			vhost_strcpy_pad((char *)&desig->desig[24], bdev->name,
+					32, ' ');
 			len += sizeof(struct scsi_desig_desc) + 8 + 16 + 32;
 
 			buf += sizeof(struct scsi_desig_desc) + desig->len;
@@ -277,17 +278,17 @@
 		inqdata->flags3 = 0x2;
 
 		/* T10 VENDOR IDENTIFICATION */
-		strlcpy((char *)inqdata->t10_vendor_id, "INTEL",
-			sizeof(inqdata->t10_vendor_id));
+		vhost_strcpy_pad((char *)inqdata->t10_vendor_id, "INTEL",
+			sizeof(inqdata->t10_vendor_id), ' ');
 
 		/* PRODUCT IDENTIFICATION */
-		snprintf((char *)inqdata->product_id,
-				RTE_DIM(inqdata->product_id), "%s",
-				bdev->product_name);
+		vhost_strcpy_pad((char *)inqdata->product_id,
+				bdev->product_name,
+				sizeof(inqdata->product_id), ' ');
 
 		/* PRODUCT REVISION LEVEL */
-		strlcpy((char *)inqdata->product_rev, "0001",
-			sizeof(inqdata->product_rev));
+		vhost_strcpy_pad((char *)inqdata->product_rev, "0001",
+			sizeof(inqdata->product_rev), ' ');
 
 		/* Standard inquiry data ends here. Only populate
 		 * remaining fields if alloc_len indicates enough
diff --git a/examples/vhost_scsi/vhost_scsi.c b/examples/vhost_scsi/vhost_scsi.c
index a1d542b..4e57462 100644
--- a/examples/vhost_scsi/vhost_scsi.c
+++ b/examples/vhost_scsi/vhost_scsi.c
@@ -183,8 +183,9 @@ static uint64_t gpa_to_vva(int vid, uint64_t gpa, uint64_t *len)
 	if (!bdev)
 		return NULL;
 
-	strncpy(bdev->name, bdev_name, sizeof(bdev->name));
-	strncpy(bdev->product_name, bdev_serial, sizeof(bdev->product_name));
+	snprintf(bdev->name, sizeof(bdev->name), "%s", bdev_name);
+	snprintf(bdev->product_name, sizeof(bdev->product_name),
+		"%s", bdev_serial);
 	bdev->blocklen = blk_size;
 	bdev->blockcnt = blk_cnt;
 	bdev->write_cache = wce_enable;
-- 
1.9.3