xfs: revert commit 8954c44ff477xfs-6.3-merge-2

The name passed into __xfs_xattr_put_listent is exactly namelen bytes long and not null-terminated. Passing namelen+1 to the strscpy function strscpy(offset, (char *)name, namelen + 1); is therefore wrong. Go back to the old code, which works fine because strncpy won't find a null in @name and stops after namelen bytes. It really could be a memcpy call, but it worked for years. Reported-by: syzbot+898115bc6d7140437215@syzkaller.appspotmail.com Fixes: 8954c44ff477 ("xfs: use strscpy() to instead of strncpy()") Signed-off-by: Darrick J. Wong <djwong@kernel.org>
author: Darrick J. Wong <djwong@kernel.org> 2023-02-10 09:06:06 -0800
committer: Darrick J. Wong <djwong@kernel.org> 2023-02-10 09:06:06 -0800
commit: dd07bb8b6baf2389caff221f043d9188ce6bab8c (patch)
tree: fd1206f2a1e7849ea19b68eef376a2f03c71d504
parent: 2ee8333529857a702475ce36d3af3ecbbcf5af5a (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c
index 913c1794bc2f..10aa1fd39d2b 100644
--- a/fs/xfs/xfs_xattr.c
+++ b/fs/xfs/xfs_xattr.c
@@ -212,7 +212,9 @@ __xfs_xattr_put_listent(
 	offset = context->buffer + context->count;
 	memcpy(offset, prefix, prefix_len);
 	offset += prefix_len;
-	strscpy(offset, (char *)name, namelen + 1);			/* real name */
+	strncpy(offset, (char *)name, namelen);			/* real name */
+	offset += namelen;
+	*offset = '\0';
 
 compute_size:
 	context->count += prefix_len + namelen + 1;
author	Darrick J. Wong <djwong@kernel.org>	2023-02-10 09:06:06 -0800
committer	Darrick J. Wong <djwong@kernel.org>	2023-02-10 09:06:06 -0800
commit	dd07bb8b6baf2389caff221f043d9188ce6bab8c (patch)
tree	fd1206f2a1e7849ea19b68eef376a2f03c71d504
parent	2ee8333529857a702475ce36d3af3ecbbcf5af5a (diff)