| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <30b946f2-bfb8-4938-8f12-1b10bf81972a@lunn.ch> Date: Tue, 29 Oct 2024 13:21:42 +0100 From: Andrew Lunn <andrew@...n.ch> To: Jeremy Kerr <jk@...econstruct.com.au> Cc: Samuel Mendoza-Jonas <sam@...dozajonas.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, Vijay Khemka <vijaykhemka@...com>, netdev@...r.kernel.org Subject: Re: [PATCH 2/2] net: ncsi: restrict version sizes when hardware doesn't nul-terminate On Tue, Oct 29, 2024 at 12:06:58PM +0800, Jeremy Kerr wrote: > Hi Andrew, > > > > However, regardless of what the spec says, we still don't want the > > > strlen() in nla_put_string() to continue into arbitrary memory in > > > the > > > case there was no nul in the fw_name reported by the device. > > > > I agree with that, but i was thinking that if it was not allowed, we > > should be printing a warning telling the user to upgrade their buggy > > firmware. > > Gotchya. All fine there. > > > Are there any other strings which will need similar treatment? > > This is the only nla_put_string() in the ncsi code, and there are no > other string-adjacent components of data represented in the spec (that > I have come across, at least). It is worth mentioning all this in the commit message. It answers questions from reviewers before they ask the questions... Andrew
Powered by blists - more mailing lists