tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

scsi: qla4xxx: Replace all non-returning strlcpy() with strscpy()

strlcpy() reads the entire source buffer first. This read may exceed the
destination size limit. This is both inefficient and can lead to linear
read overflows if a source string is not NUL-terminated [1]. In an effort
to remove strlcpy() completely [2], replace strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Link: https://lore.kernel.org/r/20230516025355.2835898-1-azeemshaikh38@gmail.com
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

Azeem Shaikh and committed by
Martin K. Petersen 41300cc9 0871237a

+11 -11
+4 -4
drivers/scsi/qla4xxx/ql4_mbx.c
··· 1611 1611 goto exit_get_chap; 1612 1612 } 1613 1613 1614 - strlcpy(password, chap_table->secret, QL4_CHAP_MAX_SECRET_LEN); 1615 - strlcpy(username, chap_table->name, QL4_CHAP_MAX_NAME_LEN); 1614 + strscpy(password, chap_table->secret, QL4_CHAP_MAX_SECRET_LEN); 1615 + strscpy(username, chap_table->name, QL4_CHAP_MAX_NAME_LEN); 1616 1616 chap_table->cookie = cpu_to_le16(CHAP_VALID_COOKIE); 1617 1617 1618 1618 exit_get_chap: ··· 1732 1732 goto exit_unlock_uni_chap; 1733 1733 } 1734 1734 1735 - strlcpy(password, chap_table->secret, MAX_CHAP_SECRET_LEN); 1736 - strlcpy(username, chap_table->name, MAX_CHAP_NAME_LEN); 1735 + strscpy(password, chap_table->secret, MAX_CHAP_SECRET_LEN); 1736 + strscpy(username, chap_table->name, MAX_CHAP_NAME_LEN); 1737 1737 1738 1738 rval = QLA_SUCCESS; 1739 1739
+7 -7
drivers/scsi/qla4xxx/ql4_os.c
··· 798 798 continue; 799 799 800 800 chap_rec->chap_tbl_idx = i; 801 - strlcpy(chap_rec->username, chap_table->name, 801 + strscpy(chap_rec->username, chap_table->name, 802 802 ISCSI_CHAP_AUTH_NAME_MAX_LEN); 803 - strlcpy(chap_rec->password, chap_table->secret, 803 + strscpy(chap_rec->password, chap_table->secret, 804 804 QL4_CHAP_MAX_SECRET_LEN); 805 805 chap_rec->password_length = chap_table->secret_len; 806 806 ··· 6052 6052 if (!(chap_table->flags & BIT_6)) /* Not BIDI */ 6053 6053 continue; 6054 6054 6055 - strlcpy(password, chap_table->secret, QL4_CHAP_MAX_SECRET_LEN); 6056 - strlcpy(username, chap_table->name, QL4_CHAP_MAX_NAME_LEN); 6055 + strscpy(password, chap_table->secret, QL4_CHAP_MAX_SECRET_LEN); 6056 + strscpy(username, chap_table->name, QL4_CHAP_MAX_NAME_LEN); 6057 6057 ret = 0; 6058 6058 break; 6059 6059 } ··· 6281 6281 6282 6282 tddb->tpgt = sess->tpgt; 6283 6283 tddb->port = conn->persistent_port; 6284 - strlcpy(tddb->iscsi_name, sess->targetname, ISCSI_NAME_SIZE); 6285 - strlcpy(tddb->ip_addr, conn->persistent_address, DDB_IPADDR_LEN); 6284 + strscpy(tddb->iscsi_name, sess->targetname, ISCSI_NAME_SIZE); 6285 + strscpy(tddb->ip_addr, conn->persistent_address, DDB_IPADDR_LEN); 6286 6286 } 6287 6287 6288 6288 static void qla4xxx_convert_param_ddb(struct dev_db_entry *fw_ddb_entry, ··· 7781 7781 goto exit_ddb_logout; 7782 7782 } 7783 7783 7784 - strlcpy(flash_tddb->iscsi_name, fnode_sess->targetname, 7784 + strscpy(flash_tddb->iscsi_name, fnode_sess->targetname, 7785 7785 ISCSI_NAME_SIZE); 7786 7786 7787 7787 if (!strncmp(fnode_sess->portal_type, PORTAL_TYPE_IPV6, 4))