usbip: usbip_host: Replace strlcpy with strscpy

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().

Direct replacement is safe here since return value of -errno
is used to check for truncation instead of sizeof(dest).

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Message-ID: <20230615180504.401169-1-azeemshaikh38@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Azeem Shaikh and committed by

Greg Kroah-Hartman 2 years ago 61d52f64 c0aabed9

+1 -3

1 changed file

expand all

drivers

usb

usbip

stub_main.c

+1 -3

drivers/usb/usbip/stub_main.c

··· 167 167 static ssize_t match_busid_store(struct device_driver *dev, const char *buf, 168 168 size_t count) 169 169 { 170 - int len; 171 170 char busid[BUSID_SIZE]; 172 171 173 172 if (count < 5) 174 173 return -EINVAL; 175 174 176 175 /* busid needs to include \0 termination */ 177 - len = strlcpy(busid, buf + 4, BUSID_SIZE); 178 - if (sizeof(busid) <= len) 176 + if (strscpy(busid, buf + 4, BUSID_SIZE) < 0) 179 177 return -EINVAL; 180 178 181 179 if (!strncmp(buf, "add ", 4)) {