[v2,3/3] net: tap: restrict bridge name to IFNAMSIZ

Message ID	20190701090904.31312-4-ppandit@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org> From: P J P <ppandit@redhat.com> To: Qemu Developers <qemu-devel@nongnu.org> Date: Mon, 1 Jul 2019 14:39:04 +0530 Message-Id: <20190701090904.31312-4-ppandit@redhat.com> In-Reply-To: <20190701090904.31312-1-ppandit@redhat.com> References: <20190701090904.31312-1-ppandit@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PATCH v2 3/3] net: tap: restrict bridge name to IFNAMSIZ Precedence: list Cc: Riccardo Schirone <rschiron@redhat.com>, =?utf-8?q?Daniel_P_=2E_Berrang?= =?utf-8?q?=C3=A9?= <berrange@redhat.com>, Jason Wang <jasowang@redhat.com>, Li Qiang <liq3ea@gmail.com>, Prasad J Pandit <pjp@fedoraproject.org> Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Series	restrict bridge interface name to IFNAMSIZ \| expand [v2,0/3] restrict bridge interface name to IFNAMSIZ [v2,1/3] qemu-bridge-helper: restrict interface name to IFNAMSIZ [v2,2/3] qemu-bridge-helper: move repeating code in parse_acl_file [v2,3/3] net: tap: restrict bridge name to IFNAMSIZ

Message ID

20190701090904.31312-4-ppandit@redhat.com (mailing list archive)

State

New, archived

Headers

From: P J P <ppandit@redhat.com>
To: Qemu Developers <qemu-devel@nongnu.org>
Date: Mon,  1 Jul 2019 14:39:04 +0530
Message-Id: <20190701090904.31312-4-ppandit@redhat.com>
In-Reply-To: <20190701090904.31312-1-ppandit@redhat.com>
References: <20190701090904.31312-1-ppandit@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PATCH v2 3/3] net: tap: restrict bridge name to
 IFNAMSIZ
Precedence: list
Cc: Riccardo Schirone <rschiron@redhat.com>, =?utf-8?q?Daniel_P_=2E_Berrang?=
	=?utf-8?q?=C3=A9?= <berrange@redhat.com>, Jason Wang <jasowang@redhat.com>,
 Li Qiang <liq3ea@gmail.com>, Prasad J Pandit <pjp@fedoraproject.org>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Series

restrict bridge interface name to IFNAMSIZ | expand

Commit Message

Prasad Pandit July 1, 2019, 9:09 a.m. UTC

From: Prasad J Pandit <pjp@fedoraproject.org>

The interface name in Linux interface request struct 'ifreq'
OR in qemu-bridge-helper is defined to be of size IFNAMSIZ(=16),
including the terminating null('\0') byte.

QEMU tap device, while invoking qemu-bridge-helper, supplies bridge
name of 16 characters, restrict it to IFNAMESIZ-1 to accommodate
terminating null('\0') byte.

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 net/tap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Daniel P. Berrangé July 1, 2019, 9:37 a.m. UTC | #1

On Mon, Jul 01, 2019 at 02:39:04PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> The interface name in Linux interface request struct 'ifreq'
> OR in qemu-bridge-helper is defined to be of size IFNAMSIZ(=16),
> including the terminating null('\0') byte.
> 
> QEMU tap device, while invoking qemu-bridge-helper, supplies bridge
> name of 16 characters, restrict it to IFNAMESIZ-1 to accommodate
> terminating null('\0') byte.
> 
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  net/tap.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/tap.c b/net/tap.c
> index e8aadd8d4b..ca8536624c 100644
> --- a/net/tap.c
> +++ b/net/tap.c
> @@ -499,7 +499,7 @@ static int net_bridge_run_helper(const char *helper, const char *bridge,
>      if (pid == 0) {
>          int open_max = sysconf(_SC_OPEN_MAX), i;
>          char fd_buf[6+10];
> -        char br_buf[6+IFNAMSIZ] = {0};
> +        char br_buf[5+IFNAMSIZ] = {0};
>          char helper_cmd[PATH_MAX + sizeof(fd_buf) + sizeof(br_buf) + 15];
>  
>          for (i = 3; i < open_max; i++) {

Playing games with multiple "perfectly" sized static buffers & snprintf
is madness. How about re-writing this method so that it just uses
g_strdup_printf() to dynamically format the helper_cmd string.

Alternatively we could get rid of the use of shell and directly exec
the helper program. This would let us just pass argv[] and avoid the
printf'ing entirely.

Regards,
Daniel

Prasad Pandit July 1, 2019, 9:57 a.m. UTC | #2

+-- On Mon, 1 Jul 2019, Daniel P. Berrangé wrote --+
| Playing games with multiple "perfectly" sized static buffers & snprintf is 
| madness. How about re-writing this method so that it just uses 
| g_strdup_printf() to dynamically format the helper_cmd string.
| 
| Alternatively we could get rid of the use of shell and directly exec the 
| helper program. This would let us just pass argv[] and avoid the printf'ing 
| entirely.

Okay, makes sense; I'll prepare patch v3.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

diff --git a/net/tap.c b/net/tap.c
index e8aadd8d4b..ca8536624c 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -499,7 +499,7 @@  static int net_bridge_run_helper(const char *helper, const char *bridge,
     if (pid == 0) {
         int open_max = sysconf(_SC_OPEN_MAX), i;
         char fd_buf[6+10];
-        char br_buf[6+IFNAMSIZ] = {0};
+        char br_buf[5+IFNAMSIZ] = {0};
         char helper_cmd[PATH_MAX + sizeof(fd_buf) + sizeof(br_buf) + 15];
 
         for (i = 3; i < open_max; i++) {

[v2,3/3] net: tap: restrict bridge name to IFNAMSIZ

Commit Message

Comments

Patch