strscpy: zero any trailing garbage bytes in the destination
authorChris Metcalf <cmetcalf@ezchip.com>
Tue, 6 Oct 2015 16:37:41 +0000 (12:37 -0400)
committerChris Metcalf <cmetcalf@ezchip.com>
Tue, 6 Oct 2015 18:53:18 +0000 (14:53 -0400)
It's possible that the destination can be shadowed in userspace
(as, for example, the perf buffers are now).  So we should take
care not to leak data that could be inspected by userspace.

Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
lib/string.c

index 8dbb7b1eab508712da538d0ef7cadc0e24b6c723..84775ba873b9efd978fa006be56e58057b34031f 100644 (file)
@@ -203,12 +203,13 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
                unsigned long c, data;
 
                c = *(unsigned long *)(src+res);
-               *(unsigned long *)(dest+res) = c;
                if (has_zero(c, &data, &constants)) {
                        data = prep_zero_mask(c, data, &constants);
                        data = create_zero_mask(data);
+                       *(unsigned long *)(dest+res) = c & zero_bytemask(data);
                        return res + find_zero(data);
                }
+               *(unsigned long *)(dest+res) = c;
                res += sizeof(unsigned long);
                count -= sizeof(unsigned long);
                max -= sizeof(unsigned long);