Commit 179a5bc4 authored Jan 27, 2015 by Andrey Ryabinin Committed by Eric Van Hensbergen Mar 20, 2015

net/9p: use memcpy() instead of snprintf() in p9_mount_tag_show()



p9_mount_tag_show() uses '%s' format string to print
non-NULL terminated chan->tag string. This leads
to out of bounds memory read, because format '%s'
implies that string is NULL-terminated.

The length of string is know here, so its simpler and safer
to use memcpy instead of snprintf().

Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>

parent 6250a8ba

net/9p/trans_virtio.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -504,7 +504,10 @@ static ssize_t p9_mount_tag_show(struct device *dev,
		vdev = dev_to_virtio(dev);
		chan = vdev->priv;

		return snprintf(buf, chan->tag_len + 1, "%s", chan->tag);
		memcpy(buf, chan->tag, chan->tag_len);
		buf[chan->tag_len] = 0;

		return chan->tag_len + 1;
		}

		static DEVICE_ATTR(mount_tag, 0444, p9_mount_tag_show, NULL);