Message ID | YM33YmacZTH820Cv@mwanda (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net-next] netfilter: nfnetlink_hook: fix check for snprintf() overflow | expand |
Context | Check | Description |
---|---|---|
netdev/cover_letter | success | Link |
netdev/fixes_present | success | Link |
netdev/patch_count | success | Link |
netdev/tree_selection | success | Clearly marked for net-next |
netdev/subject_prefix | success | Link |
netdev/cc_maintainers | success | CCed 8 of 8 maintainers |
netdev/source_inline | success | Was 0 now: 0 |
netdev/verify_signedoff | success | Link |
netdev/module_param | success | Was 0 now: 0 |
netdev/build_32bit | success | Errors and warnings before: 1 this patch: 1 |
netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
netdev/verify_fixes | success | Link |
netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 11 lines checked |
netdev/build_allmodconfig_warn | success | Errors and warnings before: 1 this patch: 1 |
netdev/header_inline | success | Link |
Dan Carpenter <dan.carpenter@oracle.com> wrote: > The kernel version of snprintf() can't return negatives. The > "ret > (int)sizeof(sym)" check is off by one because and it should be > >=. Finally, we need to set a negative error code. Reviewed-by: Florian Westphal <fw@strlen.de>
On Sat, Jun 19, 2021 at 04:55:46PM +0300, Dan Carpenter wrote: > The kernel version of snprintf() can't return negatives. The > "ret > (int)sizeof(sym)" check is off by one because and it should be > >=. Finally, we need to set a negative error code. Applied, thanks.
diff --git a/net/netfilter/nfnetlink_hook.c b/net/netfilter/nfnetlink_hook.c index 58fda6ac663b..50b4e3c9347a 100644 --- a/net/netfilter/nfnetlink_hook.c +++ b/net/netfilter/nfnetlink_hook.c @@ -126,8 +126,10 @@ static int nfnl_hook_dump_one(struct sk_buff *nlskb, #ifdef CONFIG_KALLSYMS ret = snprintf(sym, sizeof(sym), "%ps", ops->hook); - if (ret < 0 || ret > (int)sizeof(sym)) + if (ret >= sizeof(sym)) { + ret = -EINVAL; goto nla_put_failure; + } module_name = strstr(sym, " ["); if (module_name) {