lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Oct 2022 15:49:42 +0200 From: Johannes Berg <johannes@...solutions.net> To: Edward Cree <ecree.xilinx@...il.com>, ecree@...inx.com, netdev@...r.kernel.org, linux-net-drivers@....com Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com, habetsm.xilinx@...il.com, marcelo.leitner@...il.com Subject: Re: [RFC PATCH net-next 1/3] netlink: add support for formatted extack messages On Fri, 2022-10-07 at 14:46 +0100, Edward Cree wrote: > On 07/10/2022 14:35, Johannes Berg wrote: > > > > > +#define NL_SET_ERR_MSG_FMT(extack, fmt, args...) do { \ > > > + struct netlink_ext_ack *__extack = (extack); \ > > > + \ > > > + scnprintf(__extack->_msg_buf, NETLINK_MAX_FMTMSG_LEN, \ > > > + (fmt), ##args); \ > > > > Maybe that should print some kind of warning if the string was longer > > than the buffer? OTOH, I guess the user would notice anyway, and until > > you run the code nobody can possibly notice ... too bad then? > > > > Maybe we could at least _statically_ make sure that the *format* string > > (fmt) is shorter than say 60 chars or something to give some wiggle room > > for the print expansion? > > > > /* allow 20 chars for format expansion */ > > BUILD_BUG_ON(strlen(fmt) > NETLINK_MAX_FMTMSG_LEN - 20); > > > > might even work? Just as a sanity check. > > Hmm, I don't think we want to prohibit the case of (say) a 78-char format > string with one %d that's always small-valued in practice. > In fact if you have lots of % in the format string the output could be > significantly *shorter* than fmt. > So while I do like the idea of a sanity check, I don't see how to do it > without imposing unnecessary limitations. > Yeah, I agree. We could runtime warn but that's also pretty useless. I guess we just have to be careful - but I know from experience that won't work ;-) (and some things like %pM or even %p*H can expand a lot anyway) Unless maybe we printed a warning together with the full string, so the user could recover it? WARN_ON() isn't useful though, the string should be enough to understand where it came from. Anyway just thinking out loud :) johannes
Powered by blists - more mailing lists