svn commit: r345462 - stable/12/sys/dev/beri/virtio

[Oleksandr Tymoshenko]

Author: gonzo
Date: Sat Mar 23 23:43:33 2019
New Revision: 345462
URL: https://svnweb.freebsd.org/changeset/base/345462

Log:
  MFC r343998:
  
  Fix off-by-one error in BERI virtio driver
  
  The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero,
  so there is one byte written out of array bounds.As a fix use strncpy it
  appends \0 only if space allows and its behavior matches virtio spec:
  
  When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is
  written to the buffer. The identifier should be interpreted as an ascii string.
  It is terminated with \0, unless it is exactly 20 bytes long.
  
  PR:		202298
  Reviewed by:	br
  Differential Revision:	https://reviews.freebsd.org/D18852

Modified:
  stable/12/sys/dev/beri/virtio/virtio_block.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/dev/beri/virtio/virtio_block.c
==============================================================================
--- stable/12/sys/dev/beri/virtio/virtio_block.c	Sat Mar 23 22:56:03 2019	(r345461)
+++ stable/12/sys/dev/beri/virtio/virtio_block.c	Sat Mar 23 23:43:33 2019	(r345462)
@@ -187,7 +187,7 @@ vtblk_proc(struct beri_vtblk_softc *sc, struct vqueue_
 		break;
 	case VIRTIO_BLK_T_GET_ID:
 		/* Assume a single buffer */
-		strlcpy(iov[1].iov_base, sc->ident,
+		strncpy(iov[1].iov_base, sc->ident,
 		    MIN(iov[1].iov_len, sizeof(sc->ident)));
 		err = 0;
 		break;
@@ -401,7 +401,7 @@ backend_info(struct beri_vtblk_softc *sc)
 		s+=1;
 	}
 
-	sprintf(sc->ident, "Virtio block backend");
+	strncpy(sc->ident, "Virtio block backend", sizeof(sc->ident));
 
 	return (0);
 }