All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
To: Bart Van Assche <bvanassche@acm.org>
Cc: linux-rdma <linux-rdma@vger.kernel.org>,
	Roland Dreier <roland@purestorage.com>,
	Christoph Hellwig <hch@lst.de>,
	linux-scsi <linux-scsi@vger.kernel.org>,
	target-devel <target-devel@vger.kernel.org>
Subject: Re: [PATCH 8/9] ib_srpt: Convert srp_max_rsp_size into per port configfs attribute
Date: Mon, 24 Oct 2011 13:19:29 -0700	[thread overview]
Message-ID: <1319487569.17450.67.camel@haakon2.linux-iscsi.org> (raw)
In-Reply-To: <CAO+b5-qXTPNQH1xdjciT+oR0GyJT_nHiP4G_6bL1UWi4rOim5w@mail.gmail.com>

On Mon, 2011-10-24 at 22:11 +0200, Bart Van Assche wrote:
> On Mon, Oct 24, 2011 at 10:05 PM, Nicholas A. Bellinger
> <nab@linux-iscsi.org> wrote:
> > On Mon, 2011-10-24 at 21:58 +0200, Bart Van Assche wrote:
> >> On Mon, Oct 24, 2011 at 9:49 PM, Nicholas A. Bellinger
> >> <nab@linux-iscsi.org> wrote:
> >> > On Mon, 2011-10-24 at 21:44 +0200, Bart Van Assche wrote:
> >> >> On Mon, Oct 24, 2011 at 7:33 AM, Nicholas A. Bellinger
> >> >> <nab@linux-iscsi.org> wrote:
> >> >> > +static ssize_t srpt_tpg_attrib_store_srp_max_rsp_size(
> >> >> > +       struct se_portal_group *se_tpg,
> >> >> > +       const char *page,
> >> >> > +       size_t count)
> >> >> > +{
> >> >> > +       struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
> >> >> > +       unsigned long val;
> >> >> > +       int ret;
> >> >> > +
> >> >> > +       ret = strict_strtoul(page, 0, &val);
> >> >>
> >> >> If the data "page" points at only consists of digits, the above
> >> >> strict_strtoul() call will trigger a past-end-of-buffer read.
> >> >
> >> > I don't understand what you mean here.  Can you provide a test case to
> >> > demonstrate please..?
> >>
> >> echo -n "345" >$configfs_path_of_parameter.
> >
> > Still not sure what your getting at here..?
> 
> Only the data in page[0..count-1] is guaranteed to be initialized.
> strict_strtoul() will read until it either finds whitespace or a
> binary zero, so if the data in page[] does neither contain whitespace
> nor a binary zero then strict_strtoul() will read past the end of the
> data in page[]. There may be any data at page[count], including a
> valid digit.
> 

That is part obvious.  The point your missing is that configfs is
already sanitizing the the incoming buffer in fs/configfs/file.c to work
with strict_strtoul() here:

static int
fill_write_buffer(struct configfs_buffer * buffer, const char __user * buf, size_t count)
{
        int error;

        if (!buffer->page)
                buffer->page = (char *)__get_free_pages(GFP_KERNEL, 0);
        if (!buffer->page)
                return -ENOMEM;

        if (count >= SIMPLE_ATTR_SIZE)
                count = SIMPLE_ATTR_SIZE - 1;
        error = copy_from_user(buffer->page,buf,count);
        buffer->needs_read_fill = 1;
        /* if buf is assumed to contain a string, terminate it by \0,
         * so e.g. sscanf() can scan the string easily */
        buffer->page[count] = 0;
        return error ? -EFAULT : count;
}

  reply	other threads:[~2011-10-24 20:19 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-24  5:33 [PATCH 0/9] ib_srpt: Changes from RFC for v3.2-rc1 mainline merge Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 1/9] ib_srpt: Fix potential out-of-bounds array access Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 2/9] ib_srpt: Avoid failed multipart RDMA transfers Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 3/9] ib_srpt: Fix srpt_alloc_fabric_acl failure case return value Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 4/9] ib_srpt: Update comments to reference $driver/$port layout Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 5/9] ib_srpt: Fix sport->port_guid formatting code Nicholas A. Bellinger
     [not found]   ` <1319434422-15354-6-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 19:57     ` Bart Van Assche
2011-10-24 20:25       ` Nicholas A. Bellinger
     [not found]         ` <1319487952.17450.72.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-26 18:23           ` Bart Van Assche
     [not found]             ` <CAO+b5-qjOT2rqeLn=DJi5ogk+KTV8_Fi0tYwj4gECtcSNNhHRQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-27  0:37               ` Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 6/9] ib_srpt: Remove legacy use_port_guid_in_session_name module parameter Nicholas A. Bellinger
     [not found]   ` <1319434422-15354-7-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 18:24     ` Bart Van Assche
2011-10-24  5:33 ` [PATCH 7/9] ib_srpt: Convert srp_max_rdma_size into per port configfs attribute Nicholas A. Bellinger
     [not found]   ` <1319434422-15354-8-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 16:34     ` Bart Van Assche
2011-10-24 18:27       ` Nicholas A. Bellinger
2011-10-24 20:29   ` Nicholas A. Bellinger
     [not found]     ` <1319488195.17450.73.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-25  6:22       ` Nicholas A. Bellinger
2011-10-25 10:32       ` Bart Van Assche
     [not found]         ` <CAO+b5-p9xXB_sWes=uet6skkFn=xWD+vKuoOeuGwjbxYhE-ctg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-25 10:35           ` Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 8/9] ib_srpt: Convert srp_max_rsp_size " Nicholas A. Bellinger
     [not found]   ` <1319434422-15354-9-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 19:44     ` Bart Van Assche
     [not found]       ` <CAO+b5-p24uYKbwqCRWVik63gL-ZABgcJrqAi7ULJZEP+CK1WEg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-24 19:49         ` Nicholas A. Bellinger
     [not found]           ` <1319485752.17450.57.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-24 19:58             ` Bart Van Assche
2011-10-24 20:05               ` Nicholas A. Bellinger
     [not found]                 ` <1319486723.17450.59.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-24 20:11                   ` Bart Van Assche
2011-10-24 20:19                     ` Nicholas A. Bellinger [this message]
2011-10-24 20:16             ` Bart Van Assche
     [not found]               ` <CAO+b5-rzo478a07CuaYS2itAdV9dK65+GHj2Si4PZFM6qkmL3A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-24 20:22                 ` Nicholas A. Bellinger
2011-10-24  5:33 ` [PATCH 9/9] ib_srpt: Convert srpt_sq_size " Nicholas A. Bellinger
     [not found]   ` <1319434422-15354-10-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 18:32     ` Bart Van Assche
2011-10-24 18:39       ` Nicholas A. Bellinger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1319487569.17450.67.camel@haakon2.linux-iscsi.org \
    --to=nab@linux-iscsi.org \
    --cc=bvanassche@acm.org \
    --cc=hch@lst.de \
    --cc=linux-rdma@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=roland@purestorage.com \
    --cc=target-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.