| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202010161618.8E214473@keescook>
Date: Fri, 16 Oct 2020 16:19:59 -0700
From: Kees Cook <keescook@...omium.org>
To: laniel_francis@...vacyrequired.com
Cc: linux-hardening@...r.kernel.org
Subject: Re: [PATCH v1 1/3] Fix unefficient call to memset before memcpu in
nla_strlcpy.
On Fri, Oct 16, 2020 at 02:52:14PM +0200, laniel_francis@...vacyrequired.com wrote:
> From: Francis Laniel <laniel_francis@...vacyrequired.com>
>
> This patch solves part 1 of issue: https://github.com/KSPP/linux/issues/110
>
> Signed-off-by: Francis Laniel <laniel_francis@...vacyrequired.com>
> ---
> lib/nlattr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/nlattr.c b/lib/nlattr.c
> index 74019c8ebf6b..ab96a5f4b9b8 100644
> --- a/lib/nlattr.c
> +++ b/lib/nlattr.c
> @@ -731,8 +731,8 @@ size_t nla_strlcpy(char *dst, const struct nlattr *nla, size_t dstsize)
> if (dstsize > 0) {
> size_t len = (srclen >= dstsize) ? dstsize - 1 : srclen;
>
> - memset(dst, 0, dstsize);
> memcpy(dst, src, len);
> + dst[len] = '\0';
I don't think this is right: callers are likely depending on the entire
destination buffer to be zero-padded. I think you probably want:
memset(dst + len, 0, dstsize - len);
memcpy(dst, src, len);
(but double-check my pointer math)
> }
>
> return srclen;
> --
> 2.20.1
>
--
Kees Cook
Powered by blists - more mailing lists