From 92f8b562ff56d328277f1ba5caac9c01cae10b33 Mon Sep 17 00:00:00 2001 From: Chris Rogers Date: Mon, 12 Feb 2024 17:24:40 -0500 Subject: [PATCH] block-crypto: Fix off-by-one in keypath Commit 6ffa1d8a979e3fb959baecc71ce34eab909fb716 replaced the use of strncpy with safe_strncpy. When we calculate the length here, we calculate it up to the separator, but don't include the sep. When the string is passed to safe_strncpy, that function subtracts an extra 1 byte to make room for the null character, which ends up cutting off the last character in the path since the length was exact, and relied on the 0-initialized, statically allocated buffer to null terminate the string by default. This commit increases the length value by one before calling safe_strncpy to avoid losing the last byte of data. This essentially copies the path, including the separator which was omitted before, and then replaces the separator with a null character. It also adds MIN() to make sure we don't write outside keydir. Signed-off-by: Chris Rogers --- drivers/block-crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/block-crypto.c b/drivers/block-crypto.c index 93d0d7d5..84d368f4 100644 --- a/drivers/block-crypto.c +++ b/drivers/block-crypto.c @@ -143,8 +143,8 @@ find_keyfile(char **keyfile, const char *dirs, safe_strncpy(keydir, dirs, sizeof(keydir)); dirs = NULL; } else { - size_t len = sep - dirs; - safe_strncpy(keydir, dirs, len); + size_t len = (sep - dirs) + 1; + safe_strncpy(keydir, dirs, MIN(len, sizeof(keydir))); dirs = sep+1; }