bfad_iocmd_ioc_set_name() copies the fixed-length BSG request name field into equally sized kernel buffers with strcpy(). The request path validates the payload size, but it does not require the source field itself to be NUL terminated.

Reject full-length unterminated names and copy accepted names with strscpy() instead of strcpy().

Fixes: f2ee76017b30 ("[SCSI] bfa: Extend BSG to support more user commands")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/scsi/bfa/bfad_bsg.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c
index 292bc9aa43f1..4a78de3cb0ab 100644
--- a/drivers/scsi/bfa/bfad_bsg.c
+++ b/drivers/scsi/bfa/bfad_bsg.c
@@ -199,10 +199,18 @@ bfad_iocmd_ioc_set_name(struct bfad_s *bfad, void *cmd, unsigned int v_cmd)
 {
 	struct bfa_bsg_ioc_name_s *iocmd = (struct bfa_bsg_ioc_name_s *) cmd;
 
+	if (strnlen(iocmd->name, BFA_ADAPTER_SYM_NAME_LEN) >=
+	    BFA_ADAPTER_SYM_NAME_LEN) {
+		iocmd->status = BFA_STATUS_EINVAL;
+		return 0;
+	}
+
 	if (v_cmd == IOCMD_IOC_SET_ADAPTER_NAME)
-		strcpy(bfad->adapter_name, iocmd->name);
+		strscpy(bfad->adapter_name, iocmd->name,
+			sizeof(bfad->adapter_name));
 	else if (v_cmd == IOCMD_IOC_SET_PORT_NAME)
-		strcpy(bfad->port_name, iocmd->name);
+		strscpy(bfad->port_name, iocmd->name,
+			sizeof(bfad->port_name));
 
 	iocmd->status = BFA_STATUS_OK;
 	return 0;
-- 
2.50.1 (Apple Git-155)