lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 07 Mar 2016 16:05:39 +0000
From:	Ben Hutchings <ben@...adent.org.uk>
To:	David Decotigny <ddecotig@...il.com>, netdev@...r.kernel.org
Cc:	Jeff Garzik <jgarzik@...ox.com>, David Miller <davem@...hat.com>,
	Vidya Sagar Ravipati <vidya@...ulusnetworks.com>,
	Joe Perches <joe@...ches.com>,
	David Decotigny <decot@...glers.com>
Subject: Re: [ethtool PATCH v3 04/12] ethtool.c: do_seeprom checks for
 params & stdin sanity

On Fri, 2016-03-04 at 16:42 -0800, David Decotigny wrote:
> From: David Decotigny <decot@...glers.com>
> 
> Tested:
>   On qemu e1000:
>   $ dd if=/dev/zero bs=2 count=5 | /mnt/ethtool -E eth0 length 9
>   too much data from stdin
>   $ dd if=/dev/zero bs=2 count=5 | /mnt/ethtool -E eth0 length 11
>   not enough data from stdin
>   $ dd if=/dev/zero bs=2 count=5 | /mnt/ethtool -E eth0 length 10
>   Cannot set EEPROM data: Bad address
> 
> 
> Signed-off-by: David Decotigny <decot@...glers.com>
> ---
>  ethtool.c | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/ethtool.c b/ethtool.c
> index c64b962..19f479c 100644
> --- a/ethtool.c
> +++ b/ethtool.c
> @@ -2828,8 +2828,14 @@ static int do_seeprom(struct cmd_context *ctx)
>  	if (seeprom_length == -1)
>  		seeprom_length = drvinfo.eedump_len;
>  
> -	if (drvinfo.eedump_len < seeprom_offset + seeprom_length)
> -		seeprom_length = drvinfo.eedump_len - seeprom_offset;
> +	if (drvinfo.eedump_len < seeprom_offset + seeprom_length) {
> +		if (drvinfo.eedump_len > seeprom_offset)
> +			seeprom_length = drvinfo.eedump_len - seeprom_offset;

Don't silently truncate - treat this as an error too.

> +		else {
> +			fprintf(stderr, "offset & length out of bounds\n");
> +			return 75;

Use the default error code of 1 rather than making 75 even less
meaningful.

> +		}
> +	}
>  
>  	eeprom = calloc(1, sizeof(*eeprom)+seeprom_length);
>  	if (!eeprom) {
> @@ -2844,8 +2850,18 @@ static int do_seeprom(struct cmd_context *ctx)
>  	eeprom->data[0] = seeprom_value;
>  
>  	/* Multi-byte write: read input from stdin */
> -	if (!seeprom_value_seen)
> -		eeprom->len = fread(eeprom->data, 1, eeprom->len, stdin);
> +	if (!seeprom_value_seen) {
> +		if (1 != fread(eeprom->data, eeprom->len, 1, stdin)) {
> +			fprintf(stderr, "not enough data from stdin\n");
> +			free(eeprom);
> +			return 75;
> +		}
> +		if ((EOF != fgetc(stdin)) || !feof(stdin)) {

Comparisons are the wrong way round.

Ben.

> +			fprintf(stderr, "too much data from stdin\n");
> +			free(eeprom);
> +			return 75;
> +		}
> +	}
>  
>  	err = send_ioctl(ctx, eeprom);
>  	if (err < 0) {
-- 
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow Lindberg
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ