From dd07bb8b6baf2389caff221f043d9188ce6bab8c Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Fri, 10 Feb 2023 09:06:06 -0800 Subject: xfs: revert commit 8954c44ff477 The name passed into __xfs_xattr_put_listent is exactly namelen bytes long and not null-terminated. Passing namelen+1 to the strscpy function strscpy(offset, (char *)name, namelen + 1); is therefore wrong. Go back to the old code, which works fine because strncpy won't find a null in @name and stops after namelen bytes. It really could be a memcpy call, but it worked for years. Reported-by: syzbot+898115bc6d7140437215@syzkaller.appspotmail.com Fixes: 8954c44ff477 ("xfs: use strscpy() to instead of strncpy()") Signed-off-by: Darrick J. Wong --- fs/xfs/xfs_xattr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c index 913c1794bc2f..10aa1fd39d2b 100644 --- a/fs/xfs/xfs_xattr.c +++ b/fs/xfs/xfs_xattr.c @@ -212,7 +212,9 @@ __xfs_xattr_put_listent( offset = context->buffer + context->count; memcpy(offset, prefix, prefix_len); offset += prefix_len; - strscpy(offset, (char *)name, namelen + 1); /* real name */ + strncpy(offset, (char *)name, namelen); /* real name */ + offset += namelen; + *offset = '\0'; compute_size: context->count += prefix_len + namelen + 1; -- cgit v1.2.3