From patchwork Sat Oct 14 21:03:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Disseldorp <ddiss@suse.de>
X-Patchwork-Id: 10006643
Return-Path: <target-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	89B4D60230 for <patchwork-target-devel@patchwork.kernel.org>;
	Sat, 14 Oct 2017 21:04:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C9BA28FFE
	for <patchwork-target-devel@patchwork.kernel.org>;
	Sat, 14 Oct 2017 21:04:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 71BB02903B; Sat, 14 Oct 2017 21:04:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 13CC628FFE
	for <patchwork-target-devel@patchwork.kernel.org>;
	Sat, 14 Oct 2017 21:04:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751378AbdJNVES (ORCPT
	<rfc822;patchwork-target-devel@patchwork.kernel.org>);
	Sat, 14 Oct 2017 17:04:18 -0400
Received: from mx2.suse.de ([195.135.220.15]:60082 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751004AbdJNVES (ORCPT <rfc822;target-devel@vger.kernel.org>);
	Sat, 14 Oct 2017 17:04:18 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx2.suse.de (Postfix) with ESMTP id 2C9FDADF3
	for <target-devel@vger.kernel.org>;
	Sat, 14 Oct 2017 21:04:17 +0000 (UTC)
From: David Disseldorp <ddiss@suse.de>
To: target-devel@vger.kernel.org
Cc: David Disseldorp <ddiss@suse.de>
Subject: [PATCH 2/2] target: add ALUA state file path truncation detection
Date: Sat, 14 Oct 2017 23:03:52 +0200
Message-Id: <20171014210352.8713-2-ddiss@suse.de>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <20171014210352.8713-1-ddiss@suse.de>
References: <20171014210352.8713-1-ddiss@suse.de>
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

A sufficiently long Unit Serial string, dbroot path, and/or ALUA target
portal group name may result in truncation of the ALUA state file path
prior to usage. Add checks for snprintf() truncation.

Fixes: fdddf932269a ("target: use new "dbroot" target attribute")
Signed-off-by: David Disseldorp <ddiss@suse.de>
---
 drivers/target/target_core_alua.c | 37 ++++++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c
index 928127642574..2351fe60c0e7 100644
--- a/drivers/target/target_core_alua.c
+++ b/drivers/target/target_core_alua.c
@@ -921,14 +921,23 @@ static int core_alua_update_tpg_primary_metadata(
 	char path[ALUA_METADATA_PATH_LEN];
 	int len, rc;
 
+	memset(path, 0, ALUA_METADATA_PATH_LEN);
+
+	len = snprintf(path, ALUA_METADATA_PATH_LEN,
+			"%s/alua/tpgs_%s/%s", db_root, &wwn->unit_serial[0],
+			config_item_name(&tg_pt_gp->tg_pt_gp_group.cg_item));
+	if (len >= ALUA_METADATA_PATH_LEN) {
+		pr_err("WWN value for struct se_device does not fit"
+			" into path buffer\n");
+		return -EMSGSIZE;
+	}
+
 	md_buf = kzalloc(ALUA_MD_BUF_LEN, GFP_KERNEL);
 	if (!md_buf) {
 		pr_err("Unable to allocate buf for ALUA metadata\n");
 		return -ENOMEM;
 	}
 
-	memset(path, 0, ALUA_METADATA_PATH_LEN);
-
 	len = snprintf(md_buf, ALUA_MD_BUF_LEN,
 			"tg_pt_gp_id=%hu\n"
 			"alua_access_state=0x%02x\n"
@@ -937,10 +946,6 @@ static int core_alua_update_tpg_primary_metadata(
 			tg_pt_gp->tg_pt_gp_alua_access_state,
 			tg_pt_gp->tg_pt_gp_alua_access_status);
 
-	snprintf(path, ALUA_METADATA_PATH_LEN,
-		"%s/alua/tpgs_%s/%s", db_root, &wwn->unit_serial[0],
-		config_item_name(&tg_pt_gp->tg_pt_gp_group.cg_item));
-
 	rc = core_alua_write_tpg_metadata(path, md_buf, len);
 	kfree(md_buf);
 	return rc;
@@ -1231,18 +1236,28 @@ static int core_alua_update_tpg_secondary_metadata(struct se_lun *lun)
 		snprintf(wwn+len, ALUA_SECONDARY_METADATA_WWN_LEN-len, "+%hu",
 				se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg));
 
+	len = snprintf(path, ALUA_METADATA_PATH_LEN, "%s/alua/%s/%s/lun_%llu",
+			db_root, se_tpg->se_tpg_tfo->get_fabric_name(), wwn,
+			lun->unpacked_lun);
+	if (len >= ALUA_METADATA_PATH_LEN) {
+		pr_err("WWN value for struct se_device does not fit"
+			" into path buffer\n");
+		rc = -EMSGSIZE;
+		goto out_free;
+	}
+
 	len = snprintf(md_buf, ALUA_MD_BUF_LEN, "alua_tg_pt_offline=%d\n"
 			"alua_tg_pt_status=0x%02x\n",
 			atomic_read(&lun->lun_tg_pt_secondary_offline),
 			lun->lun_tg_pt_secondary_stat);
-
-	snprintf(path, ALUA_METADATA_PATH_LEN, "%s/alua/%s/%s/lun_%llu",
-			db_root, se_tpg->se_tpg_tfo->get_fabric_name(), wwn,
-			lun->unpacked_lun);
+	if (len >= ALUA_MD_BUF_LEN) {
+		rc = -EMSGSIZE;
+		goto out_free;
+	}
 
 	rc = core_alua_write_tpg_metadata(path, md_buf, len);
+out_free:
 	kfree(md_buf);
-
 out_unlock:
 	mutex_unlock(&lun->lun_tg_pt_md_mutex);
 	return rc;