[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 10/22] bt: replace fragile snprintf use and unwarran
From: |
Jim Meyering |
Subject: |
[Qemu-devel] [PATCH 10/22] bt: replace fragile snprintf use and unwarranted strncpy |
Date: |
Wed, 9 May 2012 11:23:54 +0200 |
From: Jim Meyering <address@hidden>
In bt_hci_name_req a failed snprintf could return len larger than
sizeof(params.name), which means the following memset call would
have a "length" value of (size_t)-1, -2, etc... Sounds scary.
But currently, one can deduce that there is no problem:
strlen(slave->lmp_name) is guaranteed to be smaller than
CHANGE_LOCAL_NAME_CP_SIZE, which is the same as sizeof(params.name),
so this cannot happen. Regardless, there is no justification for
using snprintf+memset. Use pstrcpy instead.
Also, in bt_hci_event_complete_read_local_name, use pstrcpy in place
of unwarranted strncpy.
Signed-off-by: Jim Meyering <address@hidden>
---
hw/bt-hci.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/hw/bt-hci.c b/hw/bt-hci.c
index a3a7fb4..47f9a4e 100644
--- a/hw/bt-hci.c
+++ b/hw/bt-hci.c
@@ -943,7 +943,6 @@ static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t
*bdaddr)
{
struct bt_device_s *slave;
evt_remote_name_req_complete params;
- int len;
for (slave = hci->device.net->slave; slave; slave = slave->next)
if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
@@ -955,9 +954,7 @@ static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t
*bdaddr)
params.status = HCI_SUCCESS;
bacpy(¶ms.bdaddr, &slave->bd_addr);
- len = snprintf(params.name, sizeof(params.name),
- "%s", slave->lmp_name ?: "");
- memset(params.name + len, 0, sizeof(params.name) - len);
+ pstrcpy(params.name, sizeof(params.name), slave->lmp_name ?: "");
bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE,
¶ms, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE);
@@ -1388,7 +1385,7 @@ static inline void
bt_hci_event_complete_read_local_name(struct bt_hci_s *hci)
params.status = HCI_SUCCESS;
memset(params.name, 0, sizeof(params.name));
if (hci->device.lmp_name)
- strncpy(params.name, hci->device.lmp_name, sizeof(params.name));
+ pstrcpy(params.name, sizeof(params.name), hci->device.lmp_name);
bt_hci_event_complete(hci, ¶ms, READ_LOCAL_NAME_RP_SIZE);
}
--
1.7.10.1.487.ga3935e6
- [Qemu-devel] strncpy: best avoided (resend), Jim Meyering, 2012/05/09
- [Qemu-devel] [PATCH 09/22] ui/vnc: simplify and avoid strncpy, Jim Meyering, 2012/05/09
- [Qemu-devel] [PATCH 10/22] bt: replace fragile snprintf use and unwarranted strncpy,
Jim Meyering <=
- [Qemu-devel] [PATCH 12/22] virtio-9p: avoid unwarranted use of strncpy, Jim Meyering, 2012/05/09
- [Qemu-devel] [PATCH 06/22] os-posix: avoid buffer overrun, Jim Meyering, 2012/05/09
- [Qemu-devel] [PATCH 01/22] block: avoid buffer overrun by using pstrcpy, not strncpy, Jim Meyering, 2012/05/09
- [Qemu-devel] [PATCH 18/22] acpi: remove strzcpy (strncpy-identical) function; just use strncpy, Jim Meyering, 2012/05/09
- [Qemu-devel] [PATCH 22/22] doc: update HACKING wrt strncpy/pstrcpy, Jim Meyering, 2012/05/09