| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191114102831.23753-1-liuhangbin@gmail.com>
Date: Thu, 14 Nov 2019 18:28:31 +0800
From: Hangbin Liu <liuhangbin@...il.com>
To: netdev@...r.kernel.org
Cc: Eric Dumazet <edumazet@...gle.com>,
"David S . Miller" <davem@...emloft.net>,
Jiri Benc <jbenc@...hat.com>,
Hangbin Liu <liuhangbin@...il.com>
Subject: [PATCH net] tcp: switch snprintf to scnprintf
snprintf returns the number of chars that would be written, not number
of chars that were actually written. As such, 'offs' may get larger than
'tbl.maxlen', causing the 'tbl.maxlen - offs' being < 0, and since the
parameter is size_t, it would overflow.
Currently, the buffer is still enough, but for future design, use scnprintf
would be safer.
Suggested-by: Jiri Benc <jbenc@...hat.com>
Signed-off-by: Hangbin Liu <liuhangbin@...il.com>
---
net/ipv4/sysctl_net_ipv4.c | 14 +++++++-------
net/ipv4/tcp_cong.c | 12 ++++++------
net/ipv4/tcp_ulp.c | 6 +++---
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 59ded25acd04..ed804cf68026 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -334,14 +334,14 @@ static int proc_tcp_fastopen_key(struct ctl_table *table, int write,
user_key[i] = le32_to_cpu(key[i]);
for (i = 0; i < n_keys; i++) {
- off += snprintf(tbl.data + off, tbl.maxlen - off,
- "%08x-%08x-%08x-%08x",
- user_key[i * 4],
- user_key[i * 4 + 1],
- user_key[i * 4 + 2],
- user_key[i * 4 + 3]);
+ off += scnprintf(tbl.data + off, tbl.maxlen - off,
+ "%08x-%08x-%08x-%08x",
+ user_key[i * 4],
+ user_key[i * 4 + 1],
+ user_key[i * 4 + 2],
+ user_key[i * 4 + 3]);
if (i + 1 < n_keys)
- off += snprintf(tbl.data + off, tbl.maxlen - off, ",");
+ off += scnprintf(tbl.data + off, tbl.maxlen - off, ",");
}
ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index c445a81d144e..d84a09bd0201 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -253,9 +253,9 @@ void tcp_get_available_congestion_control(char *buf, size_t maxlen)
rcu_read_lock();
list_for_each_entry_rcu(ca, &tcp_cong_list, list) {
- offs += snprintf(buf + offs, maxlen - offs,
- "%s%s",
- offs == 0 ? "" : " ", ca->name);
+ offs += scnprintf(buf + offs, maxlen - offs,
+ "%s%s",
+ offs == 0 ? "" : " ", ca->name);
}
rcu_read_unlock();
}
@@ -282,9 +282,9 @@ void tcp_get_allowed_congestion_control(char *buf, size_t maxlen)
list_for_each_entry_rcu(ca, &tcp_cong_list, list) {
if (!(ca->flags & TCP_CONG_NON_RESTRICTED))
continue;
- offs += snprintf(buf + offs, maxlen - offs,
- "%s%s",
- offs == 0 ? "" : " ", ca->name);
+ offs += scnprintf(buf + offs, maxlen - offs,
+ "%s%s",
+ offs == 0 ? "" : " ", ca->name);
}
rcu_read_unlock();
}
diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c
index 4849edb62d52..c338cae13842 100644
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -89,9 +89,9 @@ void tcp_get_available_ulp(char *buf, size_t maxlen)
*buf = '\0';
rcu_read_lock();
list_for_each_entry_rcu(ulp_ops, &tcp_ulp_list, list) {
- offs += snprintf(buf + offs, maxlen - offs,
- "%s%s",
- offs == 0 ? "" : " ", ulp_ops->name);
+ offs += scnprintf(buf + offs, maxlen - offs,
+ "%s%s",
+ offs == 0 ? "" : " ", ulp_ops->name);
}
rcu_read_unlock();
}
--
2.19.2
Powered by blists - more mailing lists