From patchwork Sat Feb 2 01:52:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Verma, Vishal L" X-Patchwork-Id: 10794045 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 670791390 for ; Sat, 2 Feb 2019 01:53:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4FD2932F17 for ; Sat, 2 Feb 2019 01:53:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 43A9D330A5; Sat, 2 Feb 2019 01:53:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id F40A3330B3 for ; Sat, 2 Feb 2019 01:53:01 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id AABEB211C64BC; Fri, 1 Feb 2019 17:53:01 -0800 (PST) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.115; helo=mga14.intel.com; envelope-from=vishal.l.verma@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3CF92211C64B1 for ; Fri, 1 Feb 2019 17:53:00 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Feb 2019 17:53:00 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,550,1539673200"; d="scan'208";a="123324127" Received: from vverma7-desk1.lm.intel.com ([10.232.112.170]) by orsmga003.jf.intel.com with ESMTP; 01 Feb 2019 17:52:59 -0800 From: Vishal Verma To: Subject: [ndctl PATCH 3/4] libndctl: fix a couple of theoretical buffer overruns Date: Fri, 1 Feb 2019 18:52:52 -0700 Message-Id: <20190202015253.20051-3-vishal.l.verma@intel.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190202015253.20051-1-vishal.l.verma@intel.com> References: <20190202015253.20051-1-vishal.l.verma@intel.com> MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP Static analysis reports that the ndctl_dimm_get_security() function can overflow 'buf'. Just above it, ndctl_dimm_get_available_labels() seems to make the same mistake. Fix both of these by allocating a buffer of the correct size. Signed-off-by: Vishal Verma Reviewed-by: Dan Williams --- ndctl/lib/dimm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ndctl/lib/dimm.c b/ndctl/lib/dimm.c index 0a4ca79..22cf4e1 100644 --- a/ndctl/lib/dimm.c +++ b/ndctl/lib/dimm.c @@ -582,7 +582,7 @@ NDCTL_EXPORT unsigned long ndctl_dimm_get_available_labels( struct ndctl_ctx *ctx = ndctl_dimm_get_ctx(dimm); char *path = dimm->dimm_buf; int rc, len = dimm->buf_len; - char buf[20]; + char buf[SYSFS_ATTR_SIZE]; if (snprintf(path, len, "%s/available_slots", dimm->dimm_path) >= len) { err(ctx, "%s: buffer too small!\n", @@ -605,8 +605,8 @@ NDCTL_EXPORT enum ndctl_security_state ndctl_dimm_get_security( { struct ndctl_ctx *ctx = ndctl_dimm_get_ctx(dimm); char *path = dimm->dimm_buf; + char buf[SYSFS_ATTR_SIZE]; int len = dimm->buf_len; - char buf[64]; int rc; if (snprintf(path, len, "%s/security", dimm->dimm_path) >= len) {