From a20f0c820fb024a48f667334777ca4022838693d Mon Sep 17 00:00:00 2001
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Tue, 26 May 2020 21:06:50 +0200
Subject: [PATCH] fs: fat_write: fix short name creation.

Truncate file names if the buffer size is exceeded to avoid a buffer
overflow.

Use Sphinx style function description.

Add a TODO comment.

Reported-by: CID 303779
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 fs/fat/fat_write.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/fs/fat/fat_write.c b/fs/fat/fat_write.c
index 59cc0bae94..b16a39d3ff 100644
--- a/fs/fat/fat_write.c
+++ b/fs/fat/fat_write.c
@@ -50,8 +50,11 @@ static int disk_write(__u32 block, __u32 nr_blocks, void *buf)
 	return ret;
 }
 
-/*
- * Set short name in directory entry
+/**
+ * set_name() - set short name in directory entry
+ *
+ * @dirent:	directory entry
+ * @filename:	long file name
  */
 static void set_name(dir_entry *dirent, const char *filename)
 {
@@ -66,7 +69,8 @@ static void set_name(dir_entry *dirent, const char *filename)
 	if (len == 0)
 		return;
 
-	strcpy(s_name, filename);
+	strncpy(s_name, filename, VFAT_MAXLEN_BYTES - 1);
+	s_name[VFAT_MAXLEN_BYTES - 1] = '\0';
 	uppercase(s_name, len);
 
 	period = strchr(s_name, '.');
@@ -87,6 +91,11 @@ static void set_name(dir_entry *dirent, const char *filename)
 		memcpy(dirent->name, s_name, period_location);
 	} else {
 		memcpy(dirent->name, s_name, 6);
+		/*
+		 * TODO: Translating two long names with the same first six
+		 *       characters to the same short name is utterly wrong.
+		 *       Short names must be unique.
+		 */
 		dirent->name[6] = '~';
 		dirent->name[7] = '1';
 	}
-- 
2.39.5