[usr/src/sys/dev/beri/virtio/virtio_block.c:404]: (error) Buffer is accessed out of bounds: sc.ident
sprintf(sc->ident, "Virtio block backend");
but sc->ident is only 20 bytes long and the text string, including
trailing NULL, is 21 bytes long.
Also, since there are no % specifiers in the text string, strcpy
would be faster.
*** Bug 211410 has been marked as a duplicate of this bug. ***
Still broken three years later.
A commit references this bug:
Date: Mon Feb 11 07:42:32 UTC 2019
New revision: 343998
Fix off-by-one error in BERI virtio driver
The hardcoded ident is exactly 20 bytes long but sprintf adds terminating zero,
so there is one byte written out of array bounds.As a fix use strncpy it
appends \0 only if space allows and its behavior matches virtio spec:
When VIRTIO_BLK_T_GET_ID is issued, the device identifier, up to 20 bytes, is
written to the buffer. The identifier should be interpreted as an ascii string.
It is terminated with \0, unless it is exactly 20 bytes long.
Reviewed by: br
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D18852