From patchwork Wed Mar 28 14:02:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 132525 Delivered-To: patch@linaro.org Received: by 10.46.84.29 with SMTP id i29csp514447ljb; Wed, 28 Mar 2018 07:03:34 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+vaZNtmqELAbAbQST210hNSmZIGWN/+huzlSQjAr3m3ZCV2TuNm1gE+JE9d79nY7lXSQ+V X-Received: by 10.99.191.65 with SMTP id i1mr2664269pgo.269.1522245814492; Wed, 28 Mar 2018 07:03:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522245814; cv=none; d=google.com; s=arc-20160816; b=boFDDCcQrBd5iCG8YSMkg6EiQO7qCm+N5tEaTCdAuau5ePd0xuEhSLYrRbPdkD0kXQ Yp4FWQVhWcdyf/BfFWPFtlDx17jXwHQlNAnWiDnbK2u+PYeAjoe6IX6ccLo24t9wotqG RnP+Dnf6abynTYarcYuI/G0k+S0m2+QCyWX8OvnFNelW6FsbPjlJALgZ6v0lYThmr8QA /6wK6/kwl8oThnhTaG5FxxxQgSkEOiTEmA4jhhJ1T1m0g52rqE8uEWIwVjLbJw1KV9UD 0TF8aJvnfk84OK95v6UVYvr8NVZE7xkzSnJ73pxwcKVTWi9TlNHZDYG71PgM0CCKE4LC TWiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Wp4HLXVKymdUqm7z0//r7gCeofx4XSMbl25JGDdTjh0=; b=wyxLzY1EGfkfoHIPSSCzK00NB3wfyTUecuF7c2nCgKcBGtiJejTnHLvJuqVregoTck 53fXddmT7l7ccyg9Q2FN6QaIbCrwWJb2T12J9nT8LT61PPmmeZrdExgbLr3DxPtA4A7H amxjc/wLT4XOK1eg2lN8YIGh6S6XWaZsp2hL2mFZJoUGlU0IwFMr+M8iwFgY+KWrIC97 2Y+B6jbyesRvn5Yoib0ErAhASihSFbMDHYR/tUWnm80FXnt2FYSJ36qWlUuJZ1KnQirm M/5T3luJoy0P45FS5JvSGVjnHmEEl8KrkCheUhjaLgR/aJbrtyq148kurcq/ceX/Q1g+ u1FA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j2si2760294pff.214.2018.03.28.07.03.29; Wed, 28 Mar 2018 07:03:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753631AbeC1OD0 (ORCPT + 28 others); Wed, 28 Mar 2018 10:03:26 -0400 Received: from mout.kundenserver.de ([217.72.192.73]:54205 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753098AbeC1ODZ (ORCPT ); Wed, 28 Mar 2018 10:03:25 -0400 Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de (mreue101 [212.227.15.145]) with ESMTPA (Nemesis) id 0MWiwF-1f2crJ2YOp-00Xwjd; Wed, 28 Mar 2018 16:03:06 +0200 From: Arnd Bergmann To: Jon Maloy , Ying Xue , "David S. Miller" Cc: Arnd Bergmann , Parthasarathy Bhuvaragan , netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: [PATCH] tipc: avoid possible string overflow Date: Wed, 28 Mar 2018 16:02:04 +0200 Message-Id: <20180328140302.2594031-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:5RhZM5SbmawoVgP1LJGeBeNkOKj7yHdtvOneWGsGT6dQ+mXciGV 9EArn0BsSTFl0KgS2TNvN+px6coiNgBZ6/f6N4aEfftAS5jBCJ2IYS569i5/1Y7W16i0h4V pO7A7uZ3aqMJDkARxD10Y5JiL/NhZRzdIrNBtFk9Sp7yC8E2PY17qh8A035vXWNPdGb/eCU SXUUmF1Wjh/oE9rcmblOg== X-UI-Out-Filterresults: notjunk:1; V01:K0:ARZNESDlisA=:PijNZ9FbgEocPXILR+4oGP BN4PNY3JdGJ/Mgx8+I1ITxAxc0mC5P5iIVYglWJrKeBOPBq6mT1hv52mPhcaI0qLu+DjTIW4m O4JH0P64eRuCJnMeCyvZRsVdqVLAZmIiPIeV1Ut4W8eNX7DCHR1wLZ3EZxYJ2q3fEV0zmY2a+ 6piYSXEXQ0mDpfeoOsnglZ3JXJBFhZ61n6EtqHkZ+5cgUcHoo1s41YOAQKIQ+eK06fmHhATUE rRwv2eE0ql7yjCfIhmM5YFLhA0voiiXfV5WssC6gUxf+kO+ThnfXjIjbkxW9vSYijx/FtN1vc vPieSnpntacC9mctTFbsVr+0+UOCKWx5mkuos9Qvc+P0e8+Ev5nILMqkVfwMsNgQStEd/jcnO m+VFPHDll/xUG/CXy2Znq2YyfQwDrnb+ZYFeKZhsTcM4cJt1xnZD28rzkcLCsuhlKCDPShSH9 Dx8eCnjf8zfPBF9RCeAOLtNPbRg6pBEm7RiCYPLNtAJ8e/UR5B67en41BcCKD4CD4JupKDN0W 9QCDSHTxs/vwlzG9vtDmAlgCgF0WGen6j6ujRgDrDNgUGNt/lVjMopLR/Y0tO6uY/MODAv11B uTVBaE1D23ZD6tls/dZfEur35AmGm0rhI3UoEME30F42KwrLcLWbHSxe9C44JrOgAuYKX1ZDm f/EnueM2UAz/abmk1Yc1C0F1JJ+Vs0Yv1R8efhesgabvd9gnUqw6lsrqqeQuZOdallSOXykcq RJNRgfFDZdkKU0R0ibw1nNJjqqdFmsKaKZG+aw== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org gcc points out that the combined length of the fixed-length inputs to l->name is larger than the destination buffer size: net/tipc/link.c: In function 'tipc_link_create': net/tipc/link.c:465:26: error: '%s' directive writing up to 32 bytes into a region of size between 26 and 58 [-Werror=format-overflow=] sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str); ^~ ~~~~~~~~ net/tipc/link.c:465:2: note: 'sprintf' output 11 or more bytes (assuming 75) into a destination of size 60 sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str); Using snprintf() ensures that the destination is still a nul-terminated string in all cases. It's still theoretically possible that the string gets trunctated though, so this patch should be carefully reviewed to ensure that either truncation is impossible in practice, or that we're ok with the truncation. Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values") Signed-off-by: Arnd Bergmann --- net/tipc/link.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.9.0 diff --git a/net/tipc/link.c b/net/tipc/link.c index 1289b4ba404f..c195ba036035 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -462,7 +462,8 @@ bool tipc_link_create(struct net *net, char *if_name, int bearer_id, sprintf(peer_str, "%x", peer); } /* Peer i/f name will be completed by reset/activate message */ - sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str); + snprintf(l->name, sizeof(l->name), "%s:%s-%s:unknown", + self_str, if_name, peer_str); strcpy(l->if_name, if_name); l->addr = peer;