* [PATCH] Fix buffer size warning for strcpy
@ 2021-08-17 13:06 Nigel Croxon
2021-08-17 21:53 ` NeilBrown
0 siblings, 1 reply; 2+ messages in thread
From: Nigel Croxon @ 2021-08-17 13:06 UTC (permalink / raw)
To: jes, mariusz.tkaczyk, neilb, xni, linux-raid
To meet requirements of Common Criteria certification vulnerablility
assessment. Static code analysis has been run and found the following
error:
buffer_size_warning: Calling "strncpy" with a maximum size
argument of 16 bytes on destination array "ve->name" of
size 16 bytes might leave the destination string unterminated.
The change is to make the destination size to fit the allocated size.
Signed-off-by: Nigel Croxon <ncroxon@redhat.com>
---
super-ddf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/super-ddf.c b/super-ddf.c
index dc8e512f..486183ed 100644
--- a/super-ddf.c
+++ b/super-ddf.c
@@ -2637,9 +2637,10 @@ static int init_super_ddf_bvd(struct supertype *st,
ve->init_state = DDF_init_not;
memset(ve->pad1, 0xff, 14);
- memset(ve->name, ' ', 16);
+ memset(ve->name, ' ', 15);
+ ve->name[15] = '\0';
if (name)
- strncpy(ve->name, name, 16);
+ strncpy(ve->name, name, 15);
ddf->virt->populated_vdes =
cpu_to_be16(be16_to_cpu(ddf->virt->populated_vdes)+1);
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Fix buffer size warning for strcpy
2021-08-17 13:06 [PATCH] Fix buffer size warning for strcpy Nigel Croxon
@ 2021-08-17 21:53 ` NeilBrown
0 siblings, 0 replies; 2+ messages in thread
From: NeilBrown @ 2021-08-17 21:53 UTC (permalink / raw)
To: Nigel Croxon; +Cc: jes, mariusz.tkaczyk, xni, linux-raid
On Tue, 17 Aug 2021, Nigel Croxon wrote:
> To meet requirements of Common Criteria certification vulnerablility
> assessment. Static code analysis has been run and found the following
> error:
> buffer_size_warning: Calling "strncpy" with a maximum size
> argument of 16 bytes on destination array "ve->name" of
> size 16 bytes might leave the destination string unterminated.
>
> The change is to make the destination size to fit the allocated size.
>
> Signed-off-by: Nigel Croxon <ncroxon@redhat.com>
> ---
> super-ddf.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/super-ddf.c b/super-ddf.c
> index dc8e512f..486183ed 100644
> --- a/super-ddf.c
> +++ b/super-ddf.c
> @@ -2637,9 +2637,10 @@ static int init_super_ddf_bvd(struct supertype *st,
> ve->init_state = DDF_init_not;
>
> memset(ve->pad1, 0xff, 14);
> - memset(ve->name, ' ', 16);
> + memset(ve->name, ' ', 15);
> + ve->name[15] = '\0';
> if (name)
> - strncpy(ve->name, name, 16);
> + strncpy(ve->name, name, 15);
This is not correct.
ve->name is *not* required to be nul-terminated. It is a string that
can be up to 16 bytes long. If it is less than 16 bytes, it is
nul-padded.
Probably the way to get coverity to stop complaining is to use memcpy.
if (name) {
int l = strlen(name;
if (l > 16)
l = 16;
memcpy(ve->name, name, l);
}
Probably the ->name should be initialized to '\0', not spaces.
https://www.snia.org/sites/default/files/SNIA_DDF_Technical_Position_v2.0.pdf
describes the format. Some fields are specified as being padded with
spaces, but not VD_Name (which is ve->name).
The field is specified as being either ASCII or "UNICODE" (which doesn't
make any sense as "UNICODE" is not a byte-encoding. Presumably it means
"UTF-8") and that:
If this field is not used, all bytes MUST be set to zero.
So it should probably be zero-padded. But there is definitely no
requirement for it to be zero-terminated.
Thanks,
NeilBrown
> ddf->virt->populated_vdes =
> cpu_to_be16(be16_to_cpu(ddf->virt->populated_vdes)+1);
>
> --
> 2.29.2
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-17 21:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-17 13:06 [PATCH] Fix buffer size warning for strcpy Nigel Croxon
2021-08-17 21:53 ` NeilBrown
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).