From patchwork Mon Feb 13 03:26:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam James X-Patchwork-Id: 13137774 X-Patchwork-Delegate: stephen@networkplumber.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FE3BC05027 for ; Mon, 13 Feb 2023 03:26:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229649AbjBMD0w (ORCPT ); Sun, 12 Feb 2023 22:26:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229457AbjBMD0v (ORCPT ); Sun, 12 Feb 2023 22:26:51 -0500 Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98B08EF82 for ; Sun, 12 Feb 2023 19:26:50 -0800 (PST) From: Sam James To: sam@gentoo.org Cc: dwfreed@mtu.edu, freswa@archlinux.org, netdev@vger.kernel.org, stephen@networkplumber.org, toolchain@gentoo.org Subject: [PATCH] ip: fix UB in strncpy (e.g. truncated ip route output) Date: Mon, 13 Feb 2023 03:26:31 +0000 Message-Id: <20230213032631.143810-1-sam@gentoo.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org> References: <0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap. This gets worse with sys-libs/glibc-2.37 where the ip route output can be truncated, but it was UB anyway and you can see it occurring w/ glibc-2.36. Bug: https://lore.kernel.org/netdev/0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org/T/#u Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112 Thanks-to: Doug Freed Signed-off-by: Sam James --- ip/iproute.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ip/iproute.c b/ip/iproute.c index 0bab0fdf..a7cd9543 100644 --- a/ip/iproute.c +++ b/ip/iproute.c @@ -748,6 +748,7 @@ int print_route(struct nlmsghdr *n, void *arg) int ret; SPRINT_BUF(b1); + SPRINT_BUF(b2); if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) { fprintf(stderr, "Not a route: %08x %08x %08x\n", @@ -809,7 +810,7 @@ int print_route(struct nlmsghdr *n, void *arg) r->rtm_dst_len); } else { const char *hostname = format_host_rta_r(family, tb[RTA_DST], - b1, sizeof(b1)); + b2, sizeof(b2)); if (hostname) strncpy(b1, hostname, sizeof(b1) - 1); } @@ -832,7 +833,7 @@ int print_route(struct nlmsghdr *n, void *arg) r->rtm_src_len); } else { const char *hostname = format_host_rta_r(family, tb[RTA_SRC], - b1, sizeof(b1)); + b2, sizeof(b2)); if (hostname) strncpy(b1, hostname, sizeof(b1) - 1); }