lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 8 Jan 2018 00:58:05 +0200
From:   Andy Shevchenko <andy.shevchenko@...il.com>
To:     SF Markus Elfring <elfring@...rs.sourceforge.net>
Cc:     netdev <netdev@...r.kernel.org>,
        Bhumika Goyal <bhumirks@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        David Windsor <dwindsor@...il.com>,
        Elena Reshetova <elena.reshetova@...el.com>,
        Hans Liljestrand <ishkamiel@...il.com>,
        Johannes Berg <johannes.berg@...el.com>,
        Kees Cook <keescook@...omium.org>,
        Roopa Prabhu <roopa@...ulusnetworks.com>,
        LKML <linux-kernel@...r.kernel.org>,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] atm/clip: Use seq_puts() in svc_addr()

On Sat, Jan 6, 2018 at 11:44 PM, SF Markus Elfring
<elfring@...rs.sourceforge.net> wrote:
> From: Markus Elfring <elfring@...rs.sourceforge.net>
> Date: Sat, 6 Jan 2018 22:34:12 +0100
>
> Two strings should be quickly put into a sequence by two function calls.
> Thus use the function "seq_puts" instead of "seq_printf".
>
> This issue was detected by using the Coccinelle software.
>
> Signed-off-by: Markus Elfring <elfring@...rs.sourceforge.net>
> ---
>  net/atm/clip.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/atm/clip.c b/net/atm/clip.c
> index d4f6029d5109..62a852165b19 100644
> --- a/net/atm/clip.c
> +++ b/net/atm/clip.c
> @@ -708,11 +708,11 @@ static void svc_addr(struct seq_file *seq, struct sockaddr_atmsvc *addr)
>         static int e164[] = { 1, 8, 4, 6, 1, 0 };
>
>         if (*addr->sas_addr.pub) {
> -               seq_printf(seq, "%s", addr->sas_addr.pub);
> +               seq_puts(seq, addr->sas_addr.pub);

Which opens a lot of security concerns.
Never do this again.

>                 if (*addr->sas_addr.prv)
>                         seq_putc(seq, '+');
>         } else if (!*addr->sas_addr.prv) {

> -               seq_printf(seq, "%s", "(none)");
> +               seq_puts(seq, "(none)");

...while this one is okay per se, better to keep above pattern (same
style over the piece of code / function).

>                 return;
>         }
>         if (*addr->sas_addr.prv) {
> --
> 2.15.1
>

P.S. I'm wondering what would be first, Markus starts looking into the
actual code, or most (all) of the maintainers just ban him.

-- 
With Best Regards,
Andy Shevchenko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ