From patchwork Thu May 3 18:50:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Verma, Vishal L" X-Patchwork-Id: 10378949 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 549E0603B4 for ; Thu, 3 May 2018 18:50:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F5352922E for ; Thu, 3 May 2018 18:50:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3403729252; Thu, 3 May 2018 18:50:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C70392922E for ; Thu, 3 May 2018 18:50:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id BAFBB2282E58A; Thu, 3 May 2018 11:50:58 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.43; helo=mga05.intel.com; envelope-from=vishal.l.verma@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A9BD020957B02 for ; Thu, 3 May 2018 11:50:57 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 May 2018 11:50:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,359,1520924400"; d="scan'208";a="225597821" Received: from vverma7-mobl4.lm.intel.com ([10.254.187.160]) by fmsmga006.fm.intel.com with ESMTP; 03 May 2018 11:50:56 -0700 From: Vishal Verma To: Subject: [ndctl PATCH 1/4] libndctl: fix potential buffer overflow in write_cache APIs Date: Thu, 3 May 2018 12:50:47 -0600 Message-Id: <20180503185050.7559-1-vishal.l.verma@intel.com> X-Mailer: git-send-email 2.14.3 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP We used a local stack variable to hold the sysfs path, which had a potential to overflow. Instead, switch to the 'scratch space' bdbs->buf to store the sysfs path as it is correctly sized for it. Cc: Dan Williams Signed-off-by: Vishal Verma --- ndctl/lib/libndctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ndctl/lib/libndctl.c b/ndctl/lib/libndctl.c index 59ea82a..2a3ef0c 100644 --- a/ndctl/lib/libndctl.c +++ b/ndctl/lib/libndctl.c @@ -3991,10 +3991,10 @@ static int __ndctl_namespace_set_write_cache(struct ndctl_namespace *ndns, { struct ndctl_ctx *ctx = ndctl_namespace_get_ctx(ndns); struct ndctl_pfn *pfn = ndctl_namespace_get_pfn(ndns); + char *path = ndns->ndns_buf; char buf[SYSFS_ATTR_SIZE]; int len = ndns->buf_len; const char *bdev; - char path[50]; if (state != 1 && state != 0) return -ENXIO; @@ -4034,9 +4034,9 @@ NDCTL_EXPORT int ndctl_namespace_write_cache_is_enabled( struct ndctl_ctx *ctx = ndctl_namespace_get_ctx(ndns); struct ndctl_pfn *pfn = ndctl_namespace_get_pfn(ndns); int len = ndns->buf_len, wc; + char *path = ndns->ndns_buf; char buf[SYSFS_ATTR_SIZE]; const char *bdev; - char path[50]; if (pfn) bdev = ndctl_pfn_get_block_device(pfn);