nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()

The serial number is copied into the buffer via memcpy_and_pad()
with the length NVMET_SN_MAX_SIZE. So when printing out we also
need to take just that length as anything beyond that will be
uninitialized.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Christoph Hellwig <hch@lst.de>

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index f74485c..d784f3c 100644 (file)
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
 {
        struct nvmet_subsys *subsys = to_subsys(item);
 
-       return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
+       return snprintf(page, PAGE_SIZE, "%*s\n",
+                       NVMET_SN_MAX_SIZE, subsys->serial);
 }
 
 static ssize_t