summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHannes Reinecke <hare@suse.de>2021-09-06 09:04:03 +0200
committerChristoph Hellwig <hch@lst.de>2021-09-06 10:03:11 +0200
commitf04064814c2a15c22ed9c803f9b634ef34f91092 (patch)
tree7d92afdf4f4a566da0da52bc99c8ac2603935165
parentnvmet: return bool from nvmet_passthru_ctrl and nvmet_is_passthru_req (diff)
downloadlinux-f04064814c2a15c22ed9c803f9b634ef34f91092.tar.xz
linux-f04064814c2a15c22ed9c803f9b634ef34f91092.zip
nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
The serial number is copied into the buffer via memcpy_and_pad() with the length NVMET_SN_MAX_SIZE. So when printing out we also need to take just that length as anything beyond that will be uninitialized. Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Christoph Hellwig <hch@lst.de>
-rw-r--r--drivers/nvme/target/configfs.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index f74485c705ff..d784f3c200b4 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
{
struct nvmet_subsys *subsys = to_subsys(item);
- return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
+ return snprintf(page, PAGE_SIZE, "%*s\n",
+ NVMET_SN_MAX_SIZE, subsys->serial);
}
static ssize_t