| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ab7c2f42-f566-4c7b-b0ba-6f7446617e85@rowland.harvard.edu> Date: Sat, 19 Apr 2025 14:23:32 -0400 From: Alan Stern <stern@...land.harvard.edu> To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com> Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: [PATCH v1 1/1] usb: Add checks for snprintf() calls in usb_alloc_dev() On Sat, Apr 19, 2025 at 07:27:08PM +0300, Andy Shevchenko wrote: > On Fri, Mar 21, 2025 at 06:49:49PM +0200, Andy Shevchenko wrote: > > When creating a device path in the driver the snprintf() takes > > up to 16 characters long argument along with the additional up to > > 12 characters for the signed integer (as it can't see the actual limits) > > and tries to pack this into 16 bytes array. GCC complains about that > > when build with `make W=1`: > > > > drivers/usb/core/usb.c:705:25: note: ‘snprintf’ output between 3 and 28 bytes into a destination of size 16 > > > > Since everything works until now, let's just check for the potential > > buffer overflow and bail out. It is most likely a never happen situation, > > but at least it makes GCC happy. > > Any comments anybody? It's not a hot path; the extra check won't hurt anything. Acked-by: Alan Stern <stern@...land.harvard.edu> Alan Stern
Powered by blists - more mailing lists