[04/22] scsi: fusion: fix string overflow warning

Message ID 20170714120720.906842-5-arnd@arndb.de
State New
Headers show
Series
  • gcc-7 -Wformat-* warnings
Related show

Commit Message

Arnd Bergmann July 14, 2017, 12:06 p.m.
gcc points out a theorerical string overflow:

drivers/message/fusion/mptbase.c: In function 'mpt_detach':
drivers/message/fusion/mptbase.c:2103:17: error: '%s' directive writing up to 31 bytes into a region of size 28 [-Werror=format-overflow=]
sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s/summary", ioc->name);
               ^~~~~
drivers/message/fusion/mptbase.c:2103:2: note: 'sprintf' output between 13 and 44 bytes into a destination of size 32

We can simply double the size of the local buffer here to be on the
safe side.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>

---
 drivers/message/fusion/mptbase.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.9.0

Comments

David Laight July 17, 2017, 9:17 a.m. | #1
From: Arnd Bergmann

> Sent: 14 July 2017 13:07

> gcc points out a theorerical string overflow:

> 

> drivers/message/fusion/mptbase.c: In function 'mpt_detach':

> drivers/message/fusion/mptbase.c:2103:17: error: '%s' directive writing up to 31 bytes into a region

> of size 28 [-Werror=format-overflow=]

> sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s/summary", ioc->name);

>                ^~~~~

> drivers/message/fusion/mptbase.c:2103:2: note: 'sprintf' output between 13 and 44 bytes into a

> destination of size 32

> 

> We can simply double the size of the local buffer here to be on the

> safe side.


I think I'd change it to snprintf() as well.
Saves any worries if ioc->name isn't '\0' terminated.

	David
Arnd Bergmann July 17, 2017, noon | #2
On Mon, Jul 17, 2017 at 11:17 AM, David Laight <David.Laight@aculab.com> wrote:
> From: Arnd Bergmann

>> Sent: 14 July 2017 13:07

>> gcc points out a theorerical string overflow:

>>

>> drivers/message/fusion/mptbase.c: In function 'mpt_detach':

>> drivers/message/fusion/mptbase.c:2103:17: error: '%s' directive writing up to 31 bytes into a region

>> of size 28 [-Werror=format-overflow=]

>> sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s/summary", ioc->name);

>>                ^~~~~

>> drivers/message/fusion/mptbase.c:2103:2: note: 'sprintf' output between 13 and 44 bytes into a

>> destination of size 32

>>

>> We can simply double the size of the local buffer here to be on the

>> safe side.

>

> I think I'd change it to snprintf() as well.

> Saves any worries if ioc->name isn't '\0' terminated.


Ok, fair enough, I'll send a new version right away.

      Arnd

Patch

diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
index 62cff5afc6bd..46b67a67edc8 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
@@ -2079,7 +2079,7 @@  void
 mpt_detach(struct pci_dev *pdev)
 {
 	MPT_ADAPTER 	*ioc = pci_get_drvdata(pdev);
-	char pname[32];
+	char pname[64];
 	u8 cb_idx;
 	unsigned long flags;
 	struct workqueue_struct *wq;