lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241028-ncsi-fixes-v1-2-f0bcfaf6eb88@codeconstruct.com.au>
Date: Mon, 28 Oct 2024 13:06:57 +0800
From: Jeremy Kerr <jk@...econstruct.com.au>
To: Samuel Mendoza-Jonas <sam@...dozajonas.com>, 
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, 
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, 
 Simon Horman <horms@...nel.org>, Vijay Khemka <vijaykhemka@...com>
Cc: netdev@...r.kernel.org
Subject: [PATCH 2/2] net: ncsi: restrict version sizes when hardware
 doesn't nul-terminate

When constructing a netlink NCSI channel info message, we assume that
the hardware version field is nul-terminated, which may not be the case
for version name strings that are exactly 12 bytes.

Build a proper nul-terminated buffer to use in nla_put_string()
instead.

Fixes: 955dc68cb9b2 ("net/ncsi: Add generic netlink family")
Signed-off-by: Jeremy Kerr <jk@...econstruct.com.au>
---
 net/ncsi/ncsi-netlink.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/ncsi/ncsi-netlink.c b/net/ncsi/ncsi-netlink.c
index 2f872d064396df55c2e213c525bae7740c12f62e..f2ba74537061ff616ce48a587969fd2270fb44c9 100644
--- a/net/ncsi/ncsi-netlink.c
+++ b/net/ncsi/ncsi-netlink.c
@@ -58,6 +58,8 @@ static int ncsi_write_channel_info(struct sk_buff *skb,
 				   struct ncsi_dev_priv *ndp,
 				   struct ncsi_channel *nc)
 {
+	const unsigned int fw_name_len = sizeof(nc->version.fw_name);
+	char fw_name[sizeof(nc->version.fw_name) + 1];
 	struct ncsi_channel_vlan_filter *ncf;
 	struct ncsi_channel_mode *m;
 	struct nlattr *vid_nest;
@@ -73,7 +75,14 @@ static int ncsi_write_channel_info(struct sk_buff *skb,
 
 	nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.major);
 	nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.minor);
-	nla_put_string(skb, NCSI_CHANNEL_ATTR_VERSION_STR, nc->version.fw_name);
+
+	/* the fw_name string will only be nul-terminated if it is shorter
+	 * than the 12-bytes available in the packet definition; ensure we have
+	 * the correct terminator here.
+	 */
+	memcpy(fw_name, nc->version.fw_name, fw_name_len);
+	fw_name[fw_name_len] = '\0';
+	nla_put_string(skb, NCSI_CHANNEL_ATTR_VERSION_STR, fw_name);
 
 	vid_nest = nla_nest_start_noflag(skb, NCSI_CHANNEL_ATTR_VLAN_LIST);
 	if (!vid_nest)

-- 
2.39.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ