From: Dan Carpenter Date: Wed, 8 May 2024 07:43:04 +0000 (+0300) Subject: nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists() X-Git-Tag: nvme-6.9-2024-05-09~1 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=d15dcd0f1a4753b57e66c64c8dc2a9779ff96aab;p=nvme.git nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists() The nsid value is a u32 that comes from nvmet_req_find_ns(). It's endian data and we're on an error path and both of those raise red flags. So let's make this safer. 1) Make the buffer large enough for any u32. 2) Remove the unnecessary initialization. 3) Use snprintf() instead of sprintf() for even more safety. 4) The sprintf() function returns the number of bytes printed, not counting the NUL terminator. It is impossible for the return value to be <= 0 so delete that. Fixes: 505363957fad ("nvmet: fix nvme status code when namespace is disabled") Signed-off-by: Dan Carpenter Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch --- diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c index 89a001101a7f..7fda69395c1e 100644 --- a/drivers/nvme/target/configfs.c +++ b/drivers/nvme/target/configfs.c @@ -757,10 +757,9 @@ static struct configfs_attribute *nvmet_ns_attrs[] = { bool nvmet_subsys_nsid_exists(struct nvmet_subsys *subsys, u32 nsid) { struct config_item *ns_item; - char name[4] = {}; + char name[12]; - if (sprintf(name, "%u", nsid) <= 0) - return false; + snprintf(name, sizeof(name), "%u", nsid); mutex_lock(&subsys->namespaces_group.cg_subsys->su_mutex); ns_item = config_group_find_item(&subsys->namespaces_group, name); mutex_unlock(&subsys->namespaces_group.cg_subsys->su_mutex);