[lvc-project] [PATCH] fs/hfsplus: Use a more secure copy method.

[Markov Gleb]

From: Gleb Markov <markov.gi at npc-ksb.ru>

When copying, an additional byte is allocated for the null
terminator and the buffer will definitely not be overflowed,
however, replacing the outdated method with a safe one seems
to be the correct action.

Replace strcpy() with strscpy().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5e61473ea9f1 ("fs/hfsplus: move xattr_name allocation in hfsplus_setxattr()")
Fixes: a3cef4cd6886 ("fs/hfsplus: move xattr_name allocation in hfsplus_getxattr()")
Signed-off-by: Gleb Markov <markov.gi at npc-ksb.ru>
---
 fs/hfsplus/xattr.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 49891b12c415..43c6867c80a5 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -425,12 +425,14 @@ int hfsplus_setxattr(struct inode *inode, const char *name,
 	char *xattr_name;
 	int res;
+	size_t total_size;

-	xattr_name = kmalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + 1,
-		GFP_KERNEL);
+	total_size = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + 1;
+	xattr_name = kmalloc(total_size, GFP_KERNEL);
+
 	if (!xattr_name)
 		return -ENOMEM;
-	strcpy(xattr_name, prefix);
-	strcpy(xattr_name + prefixlen, name);
+	strscpy(xattr_name, prefix, total_size);
+	strscpy(xattr_name + prefixlen, name, total_size - prefixlen);
 	res = __hfsplus_setxattr(inode, xattr_name, value, size, flags);
 	kfree(xattr_name);
 	return res;
@@ -579,13 +580,15 @@ ssize_t hfsplus_getxattr(struct inode *inode, const char *name,
 	int res;
 	char *xattr_name;
+	size_t total_size;

-	xattr_name = kmalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + 1,
-			     GFP_KERNEL);
+	total_size = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + 1;
+	xattr_name = kmalloc(total_size, GFP_KERNEL);
+
 	if (!xattr_name)
 		return -ENOMEM;
 
-	strcpy(xattr_name, prefix);
-	strcpy(xattr_name + prefixlen, name);
+	strscpy(xattr_name, prefix, total_size);
+	strscpy(xattr_name + prefixlen, name, total_size - prefixlen);
 
 	res = __hfsplus_getxattr(inode, xattr_name, value, size);
 	kfree(xattr_name);
-- 
2.43.0