| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 04 May 2019 00:44:49 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: chris.packham@...iedtelesis.co.nz
Cc: jon.maloy@...csson.com, ying.xue@...driver.com,
netdev@...r.kernel.org, tipc-discussion@...ts.sourceforge.net,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tipc: Avoid copying bytes beyond the supplied data
From: Chris Packham <chris.packham@...iedtelesis.co.nz>
Date: Thu, 2 May 2019 15:10:04 +1200
> TLV_SET is called with a data pointer and a len parameter that tells us
> how many bytes are pointed to by data. When invoking memcpy() we need
> to careful to only copy len bytes.
>
> Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
> 4 bytes past the end of the data pointer which newer GCC versions
> complain about.
>
> In file included from test.c:17:
> In function 'TLV_SET',
> inlined from 'test' at test.c:186:5:
> /usr/include/linux/tipc_config.h:317:3:
> warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
> of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
> memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> test.c: In function 'test':
> test.c::161:10: note:
> 'bearer_name' declared here
> char bearer_name[TIPC_MAX_BEARER_NAME];
> ^~~~~~~~~~~
>
> Signed-off-by: Chris Packham <chris.packham@...iedtelesis.co.nz>
But now the pad bytes at the end are uninitialized.
The whole idea is that the encapsulating TLV object has to be rounded
up in size based upon the given 'len' for the data.
Powered by blists - more mailing lists