From patchwork Wed May  9 09:23:54 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jim Meyering <jim@meyering.net>
X-Patchwork-Id: 157983
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 873DEB6FAA
	for <incoming@patchwork.ozlabs.org>;
	Thu, 10 May 2012 00:53:08 +1000 (EST)
Received: from localhost ([::1]:56269 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1SS6V9-0006BN-3C
	for incoming@patchwork.ozlabs.org; Wed, 09 May 2012 09:00:19 -0400
Received: from eggs.gnu.org ([208.118.235.92]:34327)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <meyering@mx.meyering.net>) id 1SS386-00062b-Ha
	for qemu-devel@nongnu.org; Wed, 09 May 2012 05:24:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <meyering@mx.meyering.net>) id 1SS383-00026Z-QH
	for qemu-devel@nongnu.org; Wed, 09 May 2012 05:24:18 -0400
Received: from mx.meyering.net ([88.168.87.75]:36920)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <meyering@mx.meyering.net>) id 1SS383-000247-FN
	for qemu-devel@nongnu.org; Wed, 09 May 2012 05:24:15 -0400
Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000)
	id 0EE2A60BBE; Wed,  9 May 2012 11:24:13 +0200 (CEST)
From: Jim Meyering <jim@meyering.net>
To: qemu-devel@nongnu.org
Date: Wed,  9 May 2012 11:23:54 +0200
Message-Id: <1336555446-20180-11-git-send-email-jim@meyering.net>
X-Mailer: git-send-email 1.7.10
In-Reply-To: <1336555446-20180-1-git-send-email-jim@meyering.net>
References: <1336555446-20180-1-git-send-email-jim@meyering.net>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 88.168.87.75
X-Mailman-Approved-At: Wed, 09 May 2012 08:59:40 -0400
Cc: Jim Meyering <meyering@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>
Subject: [Qemu-devel] [PATCH 10/22] bt: replace fragile snprintf use and
	unwarranted strncpy
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

From: Jim Meyering <meyering@redhat.com>

In bt_hci_name_req a failed snprintf could return len larger than
sizeof(params.name), which means the following memset call would
have a "length" value of (size_t)-1, -2, etc...  Sounds scary.
But currently, one can deduce that there is no problem:
strlen(slave->lmp_name) is guaranteed to be smaller than
CHANGE_LOCAL_NAME_CP_SIZE, which is the same as sizeof(params.name),
so this cannot happen.  Regardless, there is no justification for
using snprintf+memset.  Use pstrcpy instead.

Also, in bt_hci_event_complete_read_local_name, use pstrcpy in place
of unwarranted strncpy.

Signed-off-by: Jim Meyering <meyering@redhat.com>
---
 hw/bt-hci.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/hw/bt-hci.c b/hw/bt-hci.c
index a3a7fb4..47f9a4e 100644
--- a/hw/bt-hci.c
+++ b/hw/bt-hci.c
@@ -943,7 +943,6 @@ static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr)
 {
     struct bt_device_s *slave;
     evt_remote_name_req_complete params;
-    int len;

     for (slave = hci->device.net->slave; slave; slave = slave->next)
         if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
@@ -955,9 +954,7 @@ static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr)

     params.status       = HCI_SUCCESS;
     bacpy(&params.bdaddr, &slave->bd_addr);
-    len = snprintf(params.name, sizeof(params.name),
-                    "%s", slave->lmp_name ?: "");
-    memset(params.name + len, 0, sizeof(params.name) - len);
+    pstrcpy(params.name, sizeof(params.name), slave->lmp_name ?: "");
     bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE,
                     &params, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE);

@@ -1388,7 +1385,7 @@ static inline void bt_hci_event_complete_read_local_name(struct bt_hci_s *hci)
     params.status = HCI_SUCCESS;
     memset(params.name, 0, sizeof(params.name));
     if (hci->device.lmp_name)
-        strncpy(params.name, hci->device.lmp_name, sizeof(params.name));
+        pstrcpy(params.name, sizeof(params.name), hci->device.lmp_name);

     bt_hci_event_complete(hci, &params, READ_LOCAL_NAME_RP_SIZE);
 }