block-crypto: Fix off-by-one in keypath

Commit 6ffa1d8 replaced the use of strncpy with safe_strncpy. When we calculate the length here, we calculate it up to the separator, but don't include the sep. When the string is passed to safe_strncpy, that function subtracts an extra 1 byte to make room for the null character, which ends up cutting off the last character in the path since the length was exact, and relied on the 0-initialized, statically allocated buffer to null terminate the string by default. This commit increases the length value by one before calling safe_strncpy to avoid losing the last byte of data. This essentially copies the path, including the separator which was omitted before, and then replaces the separator with a null character. It also adds MIN() to make sure we don't write outside keydir. Signed-off-by: Chris Rogers <[email protected]>
xapi-project · Feb 14, 2024 · 92f8b56 · 92f8b56
1 parent 26019a2
commit 92f8b56
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/drivers/block-crypto.c b/drivers/block-crypto.c
@@ -143,8 +143,8 @@ find_keyfile(char **keyfile, const char *dirs,
 			safe_strncpy(keydir, dirs, sizeof(keydir));
 			dirs = NULL;
 		} else {
-			size_t len = sep - dirs;
-			safe_strncpy(keydir, dirs, len);
+			size_t len = (sep - dirs) + 1;
+			safe_strncpy(keydir, dirs, MIN(len, sizeof(keydir)));
 			dirs = sep+1;
 		}