Commit dd07bb8b authored by Darrick J. Wong's avatar Darrick J. Wong
Browse files

xfs: revert commit 8954c44f 



The name passed into __xfs_xattr_put_listent is exactly namelen bytes
long and not null-terminated.  Passing namelen+1 to the strscpy function

    strscpy(offset, (char *)name, namelen + 1);

is therefore wrong.  Go back to the old code, which works fine because
strncpy won't find a null in @name and stops after namelen bytes.  It
really could be a memcpy call, but it worked for years.

Reported-by: default avatar <syzbot+898115bc6d7140437215@syzkaller.appspotmail.com>
Fixes: 8954c44f ("xfs: use strscpy() to instead of strncpy()")
Signed-off-by: default avatarDarrick J. Wong <djwong@kernel.org>
parent 2ee83335

fs/xfs/xfs_xattr.c

+3 −1
Original line number Diff line number Diff line
@@ -212,7 +212,9 @@ __xfs_xattr_put_listent( 
	offset = context->buffer + context->count;

	memcpy(offset, prefix, prefix_len);

	offset += prefix_len;

	strscpy(offset, (char *)name, namelen + 1);			/* real name */

	strncpy(offset, (char *)name, namelen);			/* real name */

	offset += namelen;

	*offset = '\0';



compute_size:

	context->count += prefix_len + namelen + 1;