From patchwork Wed Dec 30 00:48:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kicinski X-Patchwork-Id: 11992861 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6495DC433E0 for ; Wed, 30 Dec 2020 00:50:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 24C2F207CF for ; Wed, 30 Dec 2020 00:50:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726274AbgL3Ath (ORCPT ); Tue, 29 Dec 2020 19:49:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:33380 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726156AbgL3Ath (ORCPT ); Tue, 29 Dec 2020 19:49:37 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id AEC01207CF; Wed, 30 Dec 2020 00:48:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1609289337; bh=NHtm5frSNwZAThwPuhJZZehqWWd7Ojo398ySi0sf/9s=; h=From:To:Cc:Subject:Date:From; b=Jbzq5Sq69rBxP8bUpEpBaztrFZem6mq6QV8yRvSvRTt5MIWdZy9d26TR05ci9uSXh FLC4FKtP4bT1TSXNG26X+UMD+Twb14SG0kSlI271poppxLai52tWKr6OFxxE2w4NVT ObRitsMH1M6pv0fqoZTpxHIN/kY3Vk9+Bb28eL1zSOg7hEkRKBnuAPexyz4qNMY55I mgHxns6TQxfgZNryhnkCRJDeT7Wly1IwfZ7VHjqKkRP4Us7p6ltq6QBamo5frkHd3x iAbFnbC+5w4kuAN0oR5VD0AckvCsGm8BZK0QMNfttybe3kPvE51/0rEqQcZ7yAryTx +GPAbHBIoxY+g== From: Jakub Kicinski To: davem@davemloft.net Cc: kgraul@linux.ibm.com, guvenc@linux.ibm.com, linux-s390@vger.kernel.org, netdev@vger.kernel.org, Jakub Kicinski , syzbot+f4708c391121cfc58396@syzkaller.appspotmail.com Subject: [PATCH net] smc: fix out of bound access in smc_nl_get_sys_info() Date: Tue, 29 Dec 2020 16:48:41 -0800 Message-Id: <20201230004841.1472141-1-kuba@kernel.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org smc_clc_get_hostname() sets the host pointer to a buffer which is not NULL-terminated (see smc_clc_init()). Reported-by: syzbot+f4708c391121cfc58396@syzkaller.appspotmail.com Fixes: 099b990bd11a ("net/smc: Add support for obtaining system information") Signed-off-by: Jakub Kicinski Reviewed-by: Karsten Graul --- net/smc/smc_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 59342b519e34..8d866b4ed8f6 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -246,7 +246,8 @@ int smc_nl_get_sys_info(struct sk_buff *skb, struct netlink_callback *cb) goto errattr; smc_clc_get_hostname(&host); if (host) { - snprintf(hostname, sizeof(hostname), "%s", host); + memcpy(hostname, host, SMC_MAX_HOSTNAME_LEN); + hostname[SMC_MAX_HOSTNAME_LEN] = 0; if (nla_put_string(skb, SMC_NLA_SYS_LOCAL_HOST, hostname)) goto errattr; }