| Message ID | 20170714120720.906842-22-arnd@arndb.de |
|---|---|
| State | Accepted |
| Commit | ebfddb3d447f5267c76680ea4d242e6f9bcafa87 |
| Headers | show |
| Series | gcc-7 -Wformat-* warnings | expand |
> gcc points out a minor bug in the handling of unknown > cookie types, which could result in a string overflow > when the integer is copied into a 3-byte string: > > fs/fscache/object-list.c: In function 'fscache_objlist_show': > fs/fscache/object-list.c:265:19: error: 'sprintf' may write a > terminating nul past the end of the destination > [-Werror=format-overflow=] sprintf(_type, "%02u", cookie->def->type); > ^~~~~~ fs/fscache/object-list.c:265:4: note: 'sprintf' output between > 3 and 4 bytes into a destination of size 3 > > This is currently harmless as no code sets a type other > than 0 or 1, but it makes sense to use snprintf() here > to avoid overflowing the array if that changes. > > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- Hi, I sent a patch to fix this issue in April [1]. It was accepted by David Howells [2]. I don't know why it wasn't upstreamed. > fs/fscache/object-list.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/fscache/object-list.c b/fs/fscache/object-list.c > index 67f940892ef8..b5ab06fabc60 100644 > --- a/fs/fscache/object-list.c > +++ b/fs/fscache/object-list.c > @@ -262,7 +262,8 @@ static int fscache_objlist_show(struct seq_file > *m, void *v) type = "DT"; > break; > default: > - sprintf(_type, "%02u", cookie->def->type); > + snprintf(_type, sizeof(_type), "%02u", > + cookie->def->type); > type = _type; > break; > } In my patch I didn't use snprintf (which is fine) but I used the hexadecimal value (as it is in the documentation [3]). Is it too late to change this patch ? If it is, I can send a patch to use an hex value. Thank you, Jérémy [1]: https://marc.info/?l=linux-kernel&m=149263432022839&w=4 [2]: https://marc.info/?l=linux-kernel&m=149330544916184&w=4 [3]: see Documentation/filesystems/caching/fscache.txt
diff --git a/fs/fscache/object-list.c b/fs/fscache/object-list.c index 67f940892ef8..b5ab06fabc60 100644 --- a/fs/fscache/object-list.c +++ b/fs/fscache/object-list.c @@ -262,7 +262,8 @@ static int fscache_objlist_show(struct seq_file *m, void *v) type = "DT"; break; default: - sprintf(_type, "%02u", cookie->def->type); + snprintf(_type, sizeof(_type), "%02u", + cookie->def->type); type = _type; break; }
gcc points out a minor bug in the handling of unknown cookie types, which could result in a string overflow when the integer is copied into a 3-byte string: fs/fscache/object-list.c: In function 'fscache_objlist_show': fs/fscache/object-list.c:265:19: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] sprintf(_type, "%02u", cookie->def->type); ^~~~~~ fs/fscache/object-list.c:265:4: note: 'sprintf' output between 3 and 4 bytes into a destination of size 3 This is currently harmless as no code sets a type other than 0 or 1, but it makes sense to use snprintf() here to avoid overflowing the array if that changes. Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- fs/fscache/object-list.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.9.0