| Message ID | 20231017-strncpy-drivers-net-wireless-cisco-airo-c-v1-1-e34d5b3b7e37@google.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | airo: replace deprecated strncpy with strscpy_pad | expand |
On 10/17/2023 2:12 PM, Justin Stitt wrote: > strncpy() is deprecated for use on NUL-terminated destination strings > [1] and as such we should prefer more robust and less ambiguous string > interfaces. > > `extra` is clearly supposed to be NUL-terminated which is evident by the > manual NUL-byte assignment as well as its immediate usage with strlen(). > > Moreover, let's NUL-pad since there is deliberate effort (48 instances) > made elsewhere to zero-out buffers in these getters and setters: > 6050 | memset(local->config.nodeName, 0, sizeof(local->config.nodeName)); > 6130 | memset(local->config.rates, 0, 8); > 6139 | memset(local->config.rates, 0, 8); > 6414 | memset(key.key, 0, MAX_KEY_SIZE); > 6497 | memset(extra, 0, 16); > (to be clear, strncpy also NUL-padded -- we are matching that behavior) > > Considering the above, a suitable replacement is `strscpy_pad` due to > the fact that it guarantees both NUL-termination and NUL-padding on the > destination buffer. > > Technically, we can now copy one less byte into `extra` as we cannot > determine the sizeof `extra` at compile time and the hard-coded value of > 16 means that strscpy_pad() will automatically truncate and set the byte > at offset 15 to NUL. However, the current code manually sets a > NUL-byte at offset 16. If this is an issue, the solution is to change > the hard-coded magic number to 17 instead of 16. I didn't do this in > this patch because a hard-coded 17 seems bad (even more so than 16). this function is a wext handler. In wext-core.c we have: static const struct iw_ioctl_description standard_ioctl[] = { ... [IW_IOCTL_IDX(SIOCGIWNICKN)] = { .header_type = IW_HEADER_TYPE_POINT, .token_size = 1, .max_tokens = IW_ESSID_MAX_SIZE, }, So the buffer size is (strangely) IW_ESSID_MAX_SIZE if you want to use that for the buffer size > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> > --- > Note: build-tested only. > > Found with: $ rg "strncpy\(" > --- > drivers/net/wireless/cisco/airo.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c > index dbd13f7aa3e6..8cfb1de5933e 100644 > --- a/drivers/net/wireless/cisco/airo.c > +++ b/drivers/net/wireless/cisco/airo.c > @@ -6067,8 +6067,7 @@ static int airo_get_nick(struct net_device *dev, > struct airo_info *local = dev->ml_priv; > > readConfigRid(local, 1); > - strncpy(extra, local->config.nodeName, 16); > - extra[16] = '\0'; > + strscpy_pad(extra, local->config.nodeName, 16); > dwrq->length = strlen(extra); > > return 0; > > --- > base-commit: 58720809f52779dc0f08e53e54b014209d13eebb > change-id: 20231017-strncpy-drivers-net-wireless-cisco-airo-c-d09cd0500a6e > > Best regards, > -- > Justin Stitt <justinstitt@google.com> >
On Tue, Oct 17, 2023 at 03:51:58PM -0700, Jeff Johnson wrote: > On 10/17/2023 2:12 PM, Justin Stitt wrote: > > strncpy() is deprecated for use on NUL-terminated destination strings > > [1] and as such we should prefer more robust and less ambiguous string > > interfaces. > > > > `extra` is clearly supposed to be NUL-terminated which is evident by the > > manual NUL-byte assignment as well as its immediate usage with strlen(). > > > > Moreover, let's NUL-pad since there is deliberate effort (48 instances) > > made elsewhere to zero-out buffers in these getters and setters: > > 6050 | memset(local->config.nodeName, 0, sizeof(local->config.nodeName)); > > 6130 | memset(local->config.rates, 0, 8); > > 6139 | memset(local->config.rates, 0, 8); > > 6414 | memset(key.key, 0, MAX_KEY_SIZE); > > 6497 | memset(extra, 0, 16); > > (to be clear, strncpy also NUL-padded -- we are matching that behavior) > > > > Considering the above, a suitable replacement is `strscpy_pad` due to > > the fact that it guarantees both NUL-termination and NUL-padding on the > > destination buffer. > > > > Technically, we can now copy one less byte into `extra` as we cannot > > determine the sizeof `extra` at compile time and the hard-coded value of > > 16 means that strscpy_pad() will automatically truncate and set the byte > > at offset 15 to NUL. However, the current code manually sets a > > NUL-byte at offset 16. If this is an issue, the solution is to change > > the hard-coded magic number to 17 instead of 16. I didn't do this in > > this patch because a hard-coded 17 seems bad (even more so than 16). > > this function is a wext handler. In wext-core.c we have: > static const struct iw_ioctl_description standard_ioctl[] = { > ... > [IW_IOCTL_IDX(SIOCGIWNICKN)] = { > .header_type = IW_HEADER_TYPE_POINT, > .token_size = 1, > .max_tokens = IW_ESSID_MAX_SIZE, > }, > > So the buffer size is (strangely) IW_ESSID_MAX_SIZE if you want to use that > for the buffer size Yeah, that seems like a good refactor to do at the same time. > > - strncpy(extra, local->config.nodeName, 16); > > - extra[16] = '\0'; > > + strscpy_pad(extra, local->config.nodeName, 16); Justin, can you respin this with the open-coded "16" updated? -Kees
diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c index dbd13f7aa3e6..8cfb1de5933e 100644 --- a/drivers/net/wireless/cisco/airo.c +++ b/drivers/net/wireless/cisco/airo.c @@ -6067,8 +6067,7 @@ static int airo_get_nick(struct net_device *dev, struct airo_info *local = dev->ml_priv; readConfigRid(local, 1); - strncpy(extra, local->config.nodeName, 16); - extra[16] = '\0'; + strscpy_pad(extra, local->config.nodeName, 16); dwrq->length = strlen(extra); return 0;
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. `extra` is clearly supposed to be NUL-terminated which is evident by the manual NUL-byte assignment as well as its immediate usage with strlen(). Moreover, let's NUL-pad since there is deliberate effort (48 instances) made elsewhere to zero-out buffers in these getters and setters: 6050 | memset(local->config.nodeName, 0, sizeof(local->config.nodeName)); 6130 | memset(local->config.rates, 0, 8); 6139 | memset(local->config.rates, 0, 8); 6414 | memset(key.key, 0, MAX_KEY_SIZE); 6497 | memset(extra, 0, 16); (to be clear, strncpy also NUL-padded -- we are matching that behavior) Considering the above, a suitable replacement is `strscpy_pad` due to the fact that it guarantees both NUL-termination and NUL-padding on the destination buffer. Technically, we can now copy one less byte into `extra` as we cannot determine the sizeof `extra` at compile time and the hard-coded value of 16 means that strscpy_pad() will automatically truncate and set the byte at offset 15 to NUL. However, the current code manually sets a NUL-byte at offset 16. If this is an issue, the solution is to change the hard-coded magic number to 17 instead of 16. I didn't do this in this patch because a hard-coded 17 seems bad (even more so than 16). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> --- Note: build-tested only. Found with: $ rg "strncpy\(" --- drivers/net/wireless/cisco/airo.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- base-commit: 58720809f52779dc0f08e53e54b014209d13eebb change-id: 20231017-strncpy-drivers-net-wireless-cisco-airo-c-d09cd0500a6e Best regards, -- Justin Stitt <justinstitt@google.com>