| Message ID | 20240731-tipic-overrun-v1-1-32ce5098c3e9@kernel.org (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] tipic: guard against buffer overrun in bearer_name_validate() | expand |
On Wed, 31 Jul 2024 09:11:50 +0100 Simon Horman wrote: > Subject: [PATCH net-next] tipic: guard against buffer overrun in bearer_name_validate() double space and one too many 'i's in the subject Code looks right: Reviewed-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 5a526ebafeb4..3c9e25f6a1d2 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name, /* return bearer name components, if necessary */ if (name_parts) { - strcpy(name_parts->media_name, media_name); - strcpy(name_parts->if_name, if_name); + if (strscpy(name_parts->media_name, media_name, + TIPC_MAX_MEDIA_NAME) < 0) + return 0; + if (strscpy(name_parts->if_name, if_name, + TIPC_MAX_IF_NAME) < 0) + return 0; } return 1; }
Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") Compile tested only. Signed-off-by: Simon Horman <horms@kernel.org> --- I am not marking this as a fix for net as I am not aware of this actually breaking anything in practice. Thus, at this point I consider it more of a clean-up than a bug fix. --- net/tipc/bearer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)