lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 11 Mar 2020 09:37:45 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     netdev@...r.kernel.org
Cc:     "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Subject: [PATCH 7/7] netdevsim: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Cc: Jakub Kicinski <kuba@...nel.org>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
 drivers/net/netdevsim/ipsec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/netdevsim/ipsec.c b/drivers/net/netdevsim/ipsec.c
index e27fc1a4516d..3281ce3d6c70 100644
--- a/drivers/net/netdevsim/ipsec.c
+++ b/drivers/net/netdevsim/ipsec.c
@@ -29,7 +29,7 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
 		return -ENOMEM;
 
 	p = buf;
-	p += snprintf(p, bufsize - (p - buf),
+	p += scnprintf(p, bufsize - (p - buf),
 		      "SA count=%u tx=%u\n",
 		      ipsec->count, ipsec->tx);
 
@@ -39,15 +39,15 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
 		if (!sap->used)
 			continue;
 
-		p += snprintf(p, bufsize - (p - buf),
+		p += scnprintf(p, bufsize - (p - buf),
 			      "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
 			      i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
 			      sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
-		p += snprintf(p, bufsize - (p - buf),
+		p += scnprintf(p, bufsize - (p - buf),
 			      "sa[%i]    spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
 			      i, be32_to_cpu(sap->xs->id.spi),
 			      sap->xs->id.proto, sap->salt, sap->crypt);
-		p += snprintf(p, bufsize - (p - buf),
+		p += scnprintf(p, bufsize - (p - buf),
 			      "sa[%i]    key=0x%08x %08x %08x %08x\n",
 			      i, sap->key[0], sap->key[1],
 			      sap->key[2], sap->key[3]);
-- 
2.16.4

Powered by blists - more mailing lists