lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Oct 2022 14:59:00 +0200
From:   Jiri Pirko <jiri@...nulli.us>
To:     Johannes Berg <johannes@...solutions.net>
Cc:     Edward Cree <ecree.xilinx@...il.com>, ecree@...inx.com,
        netdev@...r.kernel.org, linux-net-drivers@....com,
        davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
        edumazet@...gle.com, habetsm.xilinx@...il.com,
        marcelo.leitner@...il.com
Subject: Re: [RFC PATCH net-next 1/3] netlink: add support for formatted
 extack messages

Fri, Oct 07, 2022 at 03:49:42PM CEST, johannes@...solutions.net wrote:
>On Fri, 2022-10-07 at 14:46 +0100, Edward Cree wrote:
>> On 07/10/2022 14:35, Johannes Berg wrote:
>> > 
>> > > +#define NL_SET_ERR_MSG_FMT(extack, fmt, args...) do {		\
>> > > +	struct netlink_ext_ack *__extack = (extack);		\
>> > > +								\
>> > > +	scnprintf(__extack->_msg_buf, NETLINK_MAX_FMTMSG_LEN,	\
>> > > +		  (fmt), ##args);				\
>> > 
>> > Maybe that should print some kind of warning if the string was longer
>> > than the buffer? OTOH, I guess the user would notice anyway, and until
>> > you run the code nobody can possibly notice ... too bad then?
>> > 
>> > Maybe we could at least _statically_ make sure that the *format* string
>> > (fmt) is shorter than say 60 chars or something to give some wiggle room
>> > for the print expansion?
>> > 
>> > 	/* allow 20 chars for format expansion */
>> > 	BUILD_BUG_ON(strlen(fmt) > NETLINK_MAX_FMTMSG_LEN - 20);
>> > 
>> > might even work? Just as a sanity check.
>> 
>> Hmm, I don't think we want to prohibit the case of (say) a 78-char format
>>  string with one %d that's always small-valued in practice.
>> In fact if you have lots of % in the format string the output could be
>>  significantly *shorter* than fmt.
>> So while I do like the idea of a sanity check, I don't see how to do it
>>  without imposing unnecessary limitations.
>> 
>
>Yeah, I agree. We could runtime warn but that's also pretty useless.

I think that the macro caller need to take the buffer size into account
passing the formatted msg. So if the generated message would not fit
into the buffer, it's a caller bug. WARN_ON() is suitable for such
things, as it most probaly will hit the developer testing newly added
exack message.


>
>I guess we just have to be careful - but I know from experience that
>won't work ;-)
>
>(and some things like %pM or even %p*H can expand a lot anyway)
>
>Unless maybe we printed a warning together with the full string, so the
>user could recover it? WARN_ON() isn't useful though, the string should
>be enough to understand where it came from.
>
>Anyway just thinking out loud :)
>
>johannes

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ