From 61d52f64ac58f917e47175cbc5bb54ee9a672209 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Thu, 15 Jun 2023 18:05:04 +0000 Subject: [PATCH] usbip: usbip_host: Replace strlcpy with strscpy strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [1]. In an effort to remove strlcpy() completely [2], replace strlcpy() here with strscpy(). Direct replacement is safe here since return value of -errno is used to check for truncation instead of sizeof(dest). [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [2] https://github.com/KSPP/linux/issues/89 Signed-off-by: Azeem Shaikh Reviewed-by: Kees Cook Acked-by: Shuah Khan Message-ID: <20230615180504.401169-1-azeemshaikh38@gmail.com> Signed-off-by: Greg Kroah-Hartman --- drivers/usb/usbip/stub_main.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c index e8c3131a8543..0a6624d37929 100644 --- a/drivers/usb/usbip/stub_main.c +++ b/drivers/usb/usbip/stub_main.c @@ -167,15 +167,13 @@ static ssize_t match_busid_show(struct device_driver *drv, char *buf) static ssize_t match_busid_store(struct device_driver *dev, const char *buf, size_t count) { - int len; char busid[BUSID_SIZE]; if (count < 5) return -EINVAL; /* busid needs to include \0 termination */ - len = strlcpy(busid, buf + 4, BUSID_SIZE); - if (sizeof(busid) <= len) + if (strscpy(busid, buf + 4, BUSID_SIZE) < 0) return -EINVAL; if (!strncmp(buf, "add ", 4)) { -- 2.20.1