On Mon, Sep 27, 2021 at 2:22 PM Vladimir Oltean vladimir.oltean@nxp.com wrote:
strncpy() simply bails out when copying a source string whose size exceeds the destination string size, potentially leaving the destination string unterminated.
One possible way to address is to pass MDIO_NAME_LEN - 1 and a previously zero-initialized destination string, but this is more difficult to maintain.
The chosen alternative is to use strlcpy(), which properly limits the copy len in the (srclen >= size) case to "size - 1", and which is also more efficient than the strncpy() byte-by-byte implementation by using memcpy. The destination string returned by strlcpy() is always NULL terminated.
Signed-off-by: Vladimir Oltean vladimir.oltean@nxp.com
arch/powerpc/cpu/mpc85xx/ether_fcc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/cpu/mpc85xx/ether_fcc.c b/arch/powerpc/cpu/mpc85xx/ether_fcc.c index 3c4eb1a7eba9..1f6f55707321 100644 --- a/arch/powerpc/cpu/mpc85xx/ether_fcc.c +++ b/arch/powerpc/cpu/mpc85xx/ether_fcc.c @@ -444,7 +444,7 @@ int fec_initialize(struct bd_info *bis) struct mii_dev *mdiodev = mdio_alloc(); if (!mdiodev) return -ENOMEM;
strncpy(mdiodev->name, dev->name, MDIO_NAME_LEN);
strlcpy(mdiodev->name, dev->name, MDIO_NAME_LEN); mdiodev->read = bb_miiphy_read; mdiodev->write = bb_miiphy_write;-- 2.25.1
Reviewed-by: Ramon Fried rfried.dev@gmail.com