[net] net/x25: prevent a couple of overflows

From: "kiyin(尹亮)" <kiyin@tencent.com>

The .x25_addr[] address comes from the user and is not necessarily
NUL terminated.  This leads to a couple problems.  The first problem is
that the strlen() in x25_bind() can read beyond the end of the buffer.

The second problem is more subtle and could result in memory corruption.
The call tree is:
  x25_connect()
  --> x25_write_internal()
      --> x25_addr_aton()

The .x25_addr[] buffers are copied to the "addresses" buffer from
x25_write_internal() so it will lead to stack corruption.

The x25 protocol only allows 15 character addresses so putting a NUL
terminator as the 16th character is safe and obviously preferable to
reading out of bounds.

Signed-off-by: "kiyin(尹亮)" <kiyin@tencent.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---

 net/x25/af_x25.c | 3 +++
 1 file changed, 3 insertions(+)

On 2020-11-30 11:04, Dan Carpenter wrote:
> From: "kiyin(尹亮)" <kiyin@tencent.com>

> 

> The .x25_addr[] address comes from the user and is not necessarily

> NUL terminated.  This leads to a couple problems.  The first problem is

> that the strlen() in x25_bind() can read beyond the end of the buffer.

> 

> The second problem is more subtle and could result in memory 

> corruption.

> The call tree is:

>   x25_connect()

>   --> x25_write_internal()

>       --> x25_addr_aton()

> 

> The .x25_addr[] buffers are copied to the "addresses" buffer from

> x25_write_internal() so it will lead to stack corruption.

> 

> The x25 protocol only allows 15 character addresses so putting a NUL

> terminator as the 16th character is safe and obviously preferable to

> reading out of bounds.

> 


OK, I see the potential danger. I'm just wondering what is the better
approach here to counteract it:
1. check if the string is terminated or exceeds the maximum allowed
    length and report an error if necessary.
2. always terminate the string at byte 15 as you suggested.

> Signed-off-by: "kiyin(尹亮)" <kiyin@tencent.com>

> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

> ---

> 

>  net/x25/af_x25.c | 3 +++

>  1 file changed, 3 insertions(+)

> 

> diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c

> index 0bbb283f23c9..3180f15942fe 100644

> --- a/net/x25/af_x25.c

> +++ b/net/x25/af_x25.c

> @@ -686,6 +686,8 @@ static int x25_bind(struct socket *sock, struct

> sockaddr *uaddr, int addr_len)

>  		goto out;

>  	}

> 

> +	addr->sx25_addr.x25_addr[X25_ADDR_LEN - 1] = '\0';

> +

>  	/* check for the null_x25_address */

>  	if (strcmp(addr->sx25_addr.x25_addr, null_x25_address.x25_addr)) {

> 

> @@ -779,6 +781,7 @@ static int x25_connect(struct socket *sock, struct

> sockaddr *uaddr,

>  		goto out;

> 

>  	rc = -ENETUNREACH;

> +	addr->sx25_addr.x25_addr[X25_ADDR_LEN - 1] = '\0';

>  	rt = x25_get_route(&addr->sx25_addr);

>  	if (!rt)

>  		goto out;

Hi Dan,
    I think the strnlen is better. the kernel doesn't need to adjust user land mistake by putting a NULL terminator. just return an error to let the user land program fix the wrong address.

Regards,
kiyin

> -----Original Message-----

> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]

> Sent: Tuesday, December 1, 2020 11:15 PM

> To: Martin Schiller <ms@dev.tdt.de>

> Cc: David S. Miller <davem@davemloft.net>; Jakub Kicinski <kuba@kernel.org>;

> linux-x25@vger.kernel.org; netdev@vger.kernel.org; Andrew Hendry

> <andrew.hendry@gmail.com>; kiyin(尹亮) <kiyin@tencent.com>;

> security@kernel.org; linux-distros@vs.openwall.org; huntchen(陈阳)

> <huntchen@tencent.com>; dannywang(王宇) <dannywang@tencent.com>;

> kernel-janitors@vger.kernel.org

> Subject: [PATCH net v2] net/x25: prevent a couple of overflows(Internet mail)

> 

> The .x25_addr[] address comes from the user and is not necessarily NUL

> terminated.  This leads to a couple problems.  The first problem is that the

> strlen() in x25_bind() can read beyond the end of the buffer.

> 

> The second problem is more subtle and could result in memory corruption.

> The call tree is:

>   x25_connect()

>   --> x25_write_internal()

>       --> x25_addr_aton()

> 

> The .x25_addr[] buffers are copied to the "addresses" buffer from

> x25_write_internal() so it will lead to stack corruption.

> 

> Verify that the strings are NUL terminated and return -EINVAL if they are not.

> 

> Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>

> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

> ---

> The first patch put a NUL terminator on the end of the string and this patch

> returns an error instead.  I don't have a strong preference, which patch to go

> with.

> 

>  net/x25/af_x25.c | 6 ++++--

>  1 file changed, 4 insertions(+), 2 deletions(-)

> 

> diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index

> 9232cdb42ad9..d41fffb2507b 100644

> --- a/net/x25/af_x25.c

> +++ b/net/x25/af_x25.c

> @@ -675,7 +675,8 @@ static int x25_bind(struct socket *sock, struct

> sockaddr *uaddr, int addr_len)

>  	int len, i, rc = 0;

> 

>  	if (addr_len != sizeof(struct sockaddr_x25) ||

> -	    addr->sx25_family != AF_X25) {

> +	    addr->sx25_family != AF_X25 ||

> +	    strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) ==

> X25_ADDR_LEN) {

>  		rc = -EINVAL;

>  		goto out;

>  	}

> @@ -769,7 +770,8 @@ static int x25_connect(struct socket *sock, struct

> sockaddr *uaddr,

> 

>  	rc = -EINVAL;

>  	if (addr_len != sizeof(struct sockaddr_x25) ||

> -	    addr->sx25_family != AF_X25)

> +	    addr->sx25_family != AF_X25 ||

> +	    strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) ==

> X25_ADDR_LEN)

>  		goto out;

> 

>  	rc = -ENETUNREACH;

> --

> 2.29.2