diff mbox series

[net-next,v2] tipc: guard against string buffer overrun

Message ID 20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org (mailing list archive)
State Accepted
Commit 6555a2a9212be6983d2319d65276484f7c5f431a
Delegated to: Netdev Maintainers
Headers show
Series [net-next,v2] tipc: guard against string buffer overrun | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 42 this patch: 42
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 43 this patch: 43
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 43 this patch: 43
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 9 this patch: 9
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-08-03--00-00 (tests: 701)

Commit Message

Simon Horman Aug. 1, 2024, 6:35 p.m. UTC 
Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.

 .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
 .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)

This does seem to be the case so guard against this possibility by using
strscpy() and failing if truncation occurs.

Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")

Compile tested only.

Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Simon Horman <horms@kernel.org>
---
I am not marking this as a fix for net as I am not aware of this
actually breaking anything in practice. Thus, at this point I consider
it more of a clean-up than a bug fix.
---
Changes in v2:
- Correct formatting and typo in subject (Thanks Jakub)
  + The formatting problem was caused by tooling (b4)
    so I reworded the subject as a work-around
- Added Acked-by tag from Jakub
- Link to v1: https://lore.kernel.org/r/20240731-tipic-overrun-v1-1-32ce5098c3e9@kernel.org
---
 net/tipc/bearer.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Simon Horman Aug. 2, 2024, 9:42 a.m. UTC | #1 
On Thu, Aug 01, 2024 at 07:35:37PM +0100, Simon Horman wrote:
> Smatch reports that copying media_name and if_name to name_parts may
> overwrite the destination.
> 
>  .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
>  .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
> 
> This does seem to be the case so guard against this possibility by using
> strscpy() and failing if truncation occurs.
> 
> Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")
> 
> Compile tested only.
> 
> Reviewed-by: Jakub Kicinski <kuba@kernel.org>
> Signed-off-by: Simon Horman <horms@kernel.org>
> ---
> I am not marking this as a fix for net as I am not aware of this
> actually breaking anything in practice. Thus, at this point I consider
> it more of a clean-up than a bug fix.
> ---
> Changes in v2:
> - Correct formatting and typo in subject (Thanks Jakub)
>   + The formatting problem was caused by tooling (b4)
>     so I reworded the subject as a work-around

Just to clarify. The formatting issue I was referring, is a double space
in the subject [1], which seems to of occurred due to the subject being
linewrapped and then unlinewrapped. However, in the light of a new day,
it is not at all clear to me that b4 is the cause of the problem.
So sorry for pointing my finger at it.

[1] https://lore.kernel.org/netdev/20240731182356.01a4c2b8@kernel.org/

> - Added Acked-by tag from Jakub
> - Link to v1: https://lore.kernel.org/r/20240731-tipic-overrun-v1-1-32ce5098c3e9@kernel.org

...
patchwork-bot+netdevbpf@kernel.org Aug. 3, 2024, 12:30 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu, 01 Aug 2024 19:35:37 +0100 you wrote:
> Smatch reports that copying media_name and if_name to name_parts may
> overwrite the destination.
> 
>  .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
>  .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
> 
> This does seem to be the case so guard against this possibility by using
> strscpy() and failing if truncation occurs.
> 
> [...]

Here is the summary with links:
  - [net-next,v2] tipc: guard against string buffer overrun
    https://git.kernel.org/netdev/net-next/c/6555a2a9212b

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 5a526ebafeb4..3c9e25f6a1d2 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -163,8 +163,12 @@  static int bearer_name_validate(const char *name,
 
 	/* return bearer name components, if necessary */
 	if (name_parts) {
-		strcpy(name_parts->media_name, media_name);
-		strcpy(name_parts->if_name, if_name);
+		if (strscpy(name_parts->media_name, media_name,
+			    TIPC_MAX_MEDIA_NAME) < 0)
+			return 0;
+		if (strscpy(name_parts->if_name, if_name,
+			    TIPC_MAX_IF_NAME) < 0)
+			return 0;
 	}
 	return 1;
 }