[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230510-tpic-bearer_name_validate-v1-1-016d882e4e99@kernel.org>
Date: Wed, 10 May 2023 14:48:11 +0200
From: Simon Horman <horms@...nel.org>
To: Jon Maloy <jmaloy@...hat.com>, Ying Xue <ying.xue@...driver.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Per Liden <per.liden@...pam.ericsson.com>,
Dan Carpenter <dan.carpenter@...aro.org>, netdev@...r.kernel.org,
tipc-discussion@...ts.sourceforge.net
Subject: [PATCH RFC net] tipic: guard against buffer overrun in
bearer_name_validate()
Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.
.../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
.../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
This does seem to be the case, although perhaps it never occurs in
practice due to well formed input.
Guard against this possibility by using strscpy() and failing if
truncation occurs.
Compile tested only.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Simon Horman <horms@...nel.org>
---
net/tipc/bearer.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 35cac7733fd3..a82cd8f351a5 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name,
/* return bearer name components, if necessary */
if (name_parts) {
- strcpy(name_parts->media_name, media_name);
- strcpy(name_parts->if_name, if_name);
+ if (strscpy(name_parts->media_name, media_name,
+ TIPC_MAX_MEDIA_NAME) < 0)
+ return 0;
+ if (strscpy(name_parts->if_name, if_name,
+ TIPC_MAX_IF_NAME) < 0)
+ return 0;
}
return 1;
}
Powered by blists - more mailing lists