net/9p: use memcpy() instead of snprintf() in p9_mount_tag_show()
authorAndrey Ryabinin <a.ryabinin@samsung.com>
Tue, 27 Jan 2015 13:00:19 +0000 (16:00 +0300)
committerEric Van Hensbergen <ericvh@gmail.com>
Fri, 20 Mar 2015 14:34:43 +0000 (07:34 -0700)
p9_mount_tag_show() uses '%s' format string to print
non-NULL terminated chan->tag string. This leads
to out of bounds memory read, because format '%s'
implies that string is NULL-terminated.

The length of string is know here, so its simpler and safer
to use memcpy instead of snprintf().

Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
net/9p/trans_virtio.c

index 36a1a739ad68ff57eace5ba4bc4166faf12c485b..486df019f8752eef6adc1aec7d5a49d656cd3301 100644 (file)
@@ -504,7 +504,10 @@ static ssize_t p9_mount_tag_show(struct device *dev,
        vdev = dev_to_virtio(dev);
        chan = vdev->priv;
 
-       return snprintf(buf, chan->tag_len + 1, "%s", chan->tag);
+       memcpy(buf, chan->tag, chan->tag_len);
+       buf[chan->tag_len] = 0;
+
+       return chan->tag_len + 1;
 }
 
 static DEVICE_ATTR(mount_tag, 0444, p9_mount_tag_show, NULL);