The following usage of strncmp in fill_vdi_info_range function is a misuse. It is inefficient and also unsafe because it can overrun if inode->name is not terminated with a null byte due to malformed inode object: strncmp(inode->name, name, strlen(inode->name)) This fixes the issue by replacing the size argument "strlen(inode->name)" with "sizeof(inode->name)". Signed-off-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp> --- sheep/vdi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sheep/vdi.c b/sheep/vdi.c index 60bc52d..c8751ed 100644 --- a/sheep/vdi.c +++ b/sheep/vdi.c @@ -561,7 +561,7 @@ static int fill_vdi_info_range(uint32_t left, uint32_t right, continue; } - if (!strncmp(inode->name, name, strlen(inode->name))) { + if (!strncmp(inode->name, name, sizeof(inode->name))) { sd_debug("%s = %s, %u = %u", iocb->tag, inode->tag, iocb->snapid, inode->snap_id); if (vdi_has_tag(iocb)) { -- 1.7.9.3 |