lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <94D0CD8314A33A4D9D801C0FE68B402958C7A75B@G9W0745.americas.hpqcorp.net>
Date:	Sun, 14 Sep 2014 21:34:51 +0000
From:	"Elliott, Robert (Server Storage)" <Elliott@...com>
To:	Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se>,
	"James E.J. Bottomley" <JBottomley@...allels.com>,
	"linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>
CC:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] scsi: scsi_devinfo.c:  Cleaning up unnecessarily
 complicated in conjunction with strncpy



> -----Original Message-----
> From: linux-scsi-owner@...r.kernel.org [mailto:linux-scsi-
> owner@...r.kernel.org] On Behalf Of Rickard Strandqvist
...
> diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
...
>  static void scsi_strcpy_devinfo(char *name, char *to, size_t to_length,
>  				char *from, int compatible)
>  {
> -	size_t from_length;
> -
> -	from_length = strlen(from);
> -	strncpy(to, from, min(to_length, from_length));
> -	if (from_length < to_length) {
> -		if (compatible) {
> -			/*
> -			 * NUL terminate the string if it is short.
> -			 */
> -			to[from_length] = '\0';
> -		} else {
> -			/*
> -			 * space pad the string if it is short.
> -			 */
> -			strncpy(&to[from_length], spaces,
> -				to_length - from_length);
> -		}
> -	}
> -	if (from_length > to_length)
> -		 printk(KERN_WARNING "%s: %s string '%s' is too long\n",
> +	strncpy(to, from, to_length);
> +	if (to[to_length - 1] != '\0') {
> +		to[to_length - 1] = '\0';
> +		printk(KERN_WARNING "%s: %s string '%s' is too long\n",
>  			__func__, name, from);
> +	}

The caller of this function, scsi_dev_info_list_add_keyed, created
the "to" destination buffer, devinfo, with kmalloc, so it's not
guaranteed to be full of zeros.

If from_length is shorter than to_length, then this code will
be inspecting an uninitialized character that strncpy didn't
touch.

---
Rob Elliott    HP Server Storage





--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ