Message ID | 20210927112205.301876-13-vladimir.oltean@nxp.com |
---|---|
State | Accepted |
Commit | 73894f6938056560357841846158df1b9014af1d |
Delegated to: | Ramon Fried |
Headers | show |
Series | Fix some non-NULL terminated strings in the networking subsystem | expand |
On Mon, Sep 27, 2021 at 2:22 PM Vladimir Oltean <vladimir.oltean@nxp.com> wrote: > > strncpy() simply bails out when copying a source string whose size > exceeds the destination string size, potentially leaving the destination > string unterminated. > > One possible way to address is to pass MDIO_NAME_LEN - 1 and a > previously zero-initialized destination string, but this is more > difficult to maintain. > > The chosen alternative is to use strlcpy(), which properly limits the > copy len in the (srclen >= size) case to "size - 1", and which is also > more efficient than the strncpy() byte-by-byte implementation by using > memcpy. The destination string returned by strlcpy() is always NULL > terminated. > > Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> > --- > drivers/net/macb.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/macb.c b/drivers/net/macb.c > index 57ea45e2dc7f..8151104acfc0 100644 > --- a/drivers/net/macb.c > +++ b/drivers/net/macb.c > @@ -1245,7 +1245,7 @@ int macb_eth_initialize(int id, void *regs, unsigned int phy_addr) > struct mii_dev *mdiodev = mdio_alloc(); > if (!mdiodev) > return -ENOMEM; > - strncpy(mdiodev->name, netdev->name, MDIO_NAME_LEN); > + strlcpy(mdiodev->name, netdev->name, MDIO_NAME_LEN); > mdiodev->read = macb_miiphy_read; > mdiodev->write = macb_miiphy_write; > > @@ -1403,7 +1403,7 @@ static int macb_eth_probe(struct udevice *dev) > macb->bus = mdio_alloc(); > if (!macb->bus) > return -ENOMEM; > - strncpy(macb->bus->name, dev->name, MDIO_NAME_LEN); > + strlcpy(macb->bus->name, dev->name, MDIO_NAME_LEN); > macb->bus->read = macb_miiphy_read; > macb->bus->write = macb_miiphy_write; > > -- > 2.25.1 > Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
diff --git a/drivers/net/macb.c b/drivers/net/macb.c index 57ea45e2dc7f..8151104acfc0 100644 --- a/drivers/net/macb.c +++ b/drivers/net/macb.c @@ -1245,7 +1245,7 @@ int macb_eth_initialize(int id, void *regs, unsigned int phy_addr) struct mii_dev *mdiodev = mdio_alloc(); if (!mdiodev) return -ENOMEM; - strncpy(mdiodev->name, netdev->name, MDIO_NAME_LEN); + strlcpy(mdiodev->name, netdev->name, MDIO_NAME_LEN); mdiodev->read = macb_miiphy_read; mdiodev->write = macb_miiphy_write; @@ -1403,7 +1403,7 @@ static int macb_eth_probe(struct udevice *dev) macb->bus = mdio_alloc(); if (!macb->bus) return -ENOMEM; - strncpy(macb->bus->name, dev->name, MDIO_NAME_LEN); + strlcpy(macb->bus->name, dev->name, MDIO_NAME_LEN); macb->bus->read = macb_miiphy_read; macb->bus->write = macb_miiphy_write;
strncpy() simply bails out when copying a source string whose size exceeds the destination string size, potentially leaving the destination string unterminated. One possible way to address is to pass MDIO_NAME_LEN - 1 and a previously zero-initialized destination string, but this is more difficult to maintain. The chosen alternative is to use strlcpy(), which properly limits the copy len in the (srclen >= size) case to "size - 1", and which is also more efficient than the strncpy() byte-by-byte implementation by using memcpy. The destination string returned by strlcpy() is always NULL terminated. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> --- drivers/net/macb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)