lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <m3o6qotrxi.fsf@t19.piap.pl>
Date: Fri, 03 Oct 2025 08:34:01 +0200
From: Krzysztof Hałasa <khalasa@...p.pl>
To: Kriish Sharma <kriish.sharma2006@...il.com>
Cc: khc@...waw.pl,  andrew+netdev@...n.ch,  davem@...emloft.net,
  edumazet@...gle.com,  kuba@...nel.org,  pabeni@...hat.com,
  netdev@...r.kernel.org,  linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drivers/net/wan/hdlc_ppp: fix potential null pointer in
 ppp_cp_event logging

Hi Kriish,

Kriish Sharma <kriish.sharma2006@...il.com> writes:

> Fixes warnings observed during compilation with -Wformat-overflow:
>
> drivers/net/wan/hdlc_ppp.c: In function ‘ppp_cp_event’:
> drivers/net/wan/hdlc_ppp.c:353:17: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
>   353 |                 netdev_info(dev, "%s down\n", proto_name(pid));
>       |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/net/wan/hdlc_ppp.c:342:17: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
>   342 |                 netdev_info(dev, "%s up\n", proto_name(pid));
>       |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It appears proto_name(pid) never returns NULL there. Despite actually
saying "return NULL", that's right :-)

Perhaps you should change it to return "LCP" by default instead, and
not only on PID_LCP? It should silence the compiler.

This ppp_cp_event() is called in a few places:
- ppp_cp_parse_cr()
- ppp_rx()
- ppp_timer() (with a known protocol, though)
- and others, with PID_LCP.

Now, before printing proto_name(pid), ppp_cp_event() does
proto = get_proto(pid), and dereferences it :-)

The pid seems to always come from ppp_rx(). Fortunately it's checked
at start, and it case of an unknown proto it goes straight to rx_error.
-- 
Krzysztof "Chris" Hałasa

Sieć Badawcza Łukasiewicz
Przemysłowy Instytut Automatyki i Pomiarów PIAP
Al. Jerozolimskie 202, 02-486 Warszawa

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ