| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250829165218.4d597b8b@kernel.org>
Date: Fri, 29 Aug 2025 16:52:18 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Ivan Vecera <ivecera@...hat.com>
Cc: netdev@...r.kernel.org, Jiri Pirko <jiri@...nulli.us>, "David S. Miller"
<davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Paolo Abeni
<pabeni@...hat.com>, Simon Horman <horms@...nel.org>, Jonathan Corbet
<corbet@....net>, Prathosh Satish <Prathosh.Satish@...rochip.com>,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, Michal Schmidt
<mschmidt@...hat.com>, Petr Oros <poros@...hat.com>, Przemek Kitszel
<przemyslaw.kitszel@...el.com>
Subject: Re: [PATCH net-next v3 3/5] dpll: zl3073x: Add firmware loading
functionality
On Fri, 29 Aug 2025 12:39:30 +0200 Ivan Vecera wrote:
> >> + strscpy(buf, *psrc, min(sizeof(buf), *psize));
> >> + rc = sscanf(buf, "%15s %u %n", name, &count, &pos);
> >> + if (!rc) {
> >> + /* No more data */
> >> + return 0;
> >> + } else if (rc == 1) {
> >> + ZL3073X_FW_ERR_MSG(zldev, extack, "invalid component size");
> >> + return -EINVAL;
> >> + }
> >> + *psrc += pos;
> >> + *psize -= pos;
> >
> > what if pos > *psize ? I think the parsing needs more care.
>
> This should not happen. strscpy copies min(32, *psize) from the source
> to buf and sscanf parses buf and fills pos by index from the buf.
> The pos cannot be greater than *psize...or did I miss something?
Glancing at it now, I think I was concerned that *psize will go
negative / wrap. So potentially leading to over-read of psrc,
rather than overflow of buf. But I could well be wrong..
Powered by blists - more mailing lists