On Wed, Dec 04, 2013 at 11:53:57AM +0900, Ryusuke Konishi wrote: > The following usage of strncmp in fill_vdi_info_range function is a > misuse. It is inefficient and also unsafe because it can overrun if > inode->name is not terminated with a null byte due to malformed inode > object: > > strncmp(inode->name, name, strlen(inode->name)) > > This fixes the issue by replacing the size argument > "strlen(inode->name)" with "sizeof(inode->name)". > > Signed-off-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp> > --- > sheep/vdi.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sheep/vdi.c b/sheep/vdi.c > index 60bc52d..c8751ed 100644 > --- a/sheep/vdi.c > +++ b/sheep/vdi.c > @@ -561,7 +561,7 @@ static int fill_vdi_info_range(uint32_t left, uint32_t right, > continue; > } > > - if (!strncmp(inode->name, name, strlen(inode->name))) { > + if (!strncmp(inode->name, name, sizeof(inode->name))) { > sd_debug("%s = %s, %u = %u", iocb->tag, inode->tag, > iocb->snapid, inode->snap_id); > if (vdi_has_tag(iocb)) { Applied thanks Yuan |