lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 20 Aug 2012 18:55:24 +0200
From:	Jim Meyering <jim@...ering.net>
To:	linux-kernel@...r.kernel.org
Cc:	Jim Meyering <meyering@...hat.com>,
	Steve French <sfrench@...ba.org>, linux-cifs@...r.kernel.org,
	samba-technical@...ts.samba.org
Subject: [PATCH] cifs: remove misleading strncpy: each name has length < 16

From: Jim Meyering <meyering@...hat.com>

Each of the protocols[i].name strings (statically declared above)
has length less than 16, so this use of strncpy is misleading:
  strncpy(pSMB->DialectsArray+count, protocols[i].name, 16);
Besides, if a new name were added with length N >= 16, the existing
strncpy-using code would be buggy, creating a ->DialectsArray buffer
containing N-16+1 unset bytes where the NUL terminator should have
been.  Instead, traverse the name only once go get its length,
use a BUG_ON assertion to enforce the length restriction
and use memcpy to perform the copy.

Signed-off-by: Jim Meyering <meyering@...hat.com>
---
 fs/cifs/cifssmb.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 074923c..16a9018 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -441,8 +441,10 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)

 	count = 0;
 	for (i = 0; i < CIFS_NUM_PROT; i++) {
-		strncpy(pSMB->DialectsArray+count, protocols[i].name, 16);
-		count += strlen(protocols[i].name) + 1;
+		size_t len = strlen(protocols[i].name);
+		BUG_ON(len >= 16);
+		memcpy(pSMB->DialectsArray+count, protocols[i].name, len + 1);
+		count += len + 1;
 		/* null at end of source and target buffers anyway */
 	}
 	inc_rfc1001_len(pSMB, count);
-- 
1.7.12

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ