[stgt] [PATCH] Fix buffer overrun issue of lld name

FUJITA Tomonori fujita.tomonori at lab.ntt.co.jp
Tue Dec 10 10:36:46 CET 2013


On Tue, 10 Dec 2013 18:25:34 +0900
Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp> wrote:

> The string buffer of lld name in tgtadm_req struct (req->lld) will not
> be null-terminated if user specifies very long lld name for the
> argument of -L or --lld option.
> 
> This is because the lld name is copied with strncpy function and its
> size argument is the same as buffer size.  In such a case, strncpy()
> can truncate the string without appending a terminating null byte.
> 
> As a result, accesses to the lld name in mtask_execute function, for
> instance, strlen(req->lld) or eprintf("...%s\n", req->lld), can
> overrun.
> 
> This patch fixes the issue by setting a terminating null byte at the
> end of the lld name buffer before mtask_execute() uses it.
> 
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp>
> ---
>  usr/mgmt.c |    2 ++
>  1 file changed, 2 insertions(+)

Looks good. Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the stgt mailing list