scsi_id: null-terminate serial after append_vendor_model

append_vendor_model() uses memcpy() to write VENDOR_LENGTH +
MODEL_LENGTH bytes without null-terminating. While the caller
zeroes the buffer beforehand, Coverity cannot trace this. Add
explicit null termination so the subsequent strlen() is provably
safe.

CID#1469706

Follow-up for 86fd0337c652b04755008cdca23e2d9c727fa9a9

diff --git a/src/udev/scsi_id/scsi_serial.c b/src/udev/scsi_id/scsi_serial.c
index 82557e3b057a940e764e655ba04a89691b259fab..7de99992578501b8f91ff103d4bc316d4c2271ea 100644 (file)
--- a/src/udev/scsi_id/scsi_serial.c
+++ b/src/udev/scsi_id/scsi_serial.c
@@ -491,9 +491,14 @@ static int check_fill_0x83_id(struct scsi_id_device *dev_scsi,
          * this differs from SCSI_ID_T10_VENDOR, where the vendor is
          * included in the identifier.
          */
-        if (id_search->id_type == SCSI_ID_VENDOR_SPECIFIC)
+        if (id_search->id_type == SCSI_ID_VENDOR_SPECIFIC) {
                 if (append_vendor_model(dev_scsi, serial + 1) < 0)
                         return 1;
+                /* append_vendor_model() uses memcpy() without null-terminating.
+                 * The buffer was zeroed by the caller, but ensure the string is
+                 * explicitly terminated for strlen() below. */
+                serial[1 + VENDOR_LENGTH + MODEL_LENGTH] = '\0';
+        }
 
         i = 4; /* offset to the start of the identifier */
         s = j = strlen(serial);