From: Kees Cook <keescook@chromium.org>
To: Jan Engelhardt <jengelh@inai.de>
Cc: Justin Stitt <justinstitt@google.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
linux-hardening@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 1/7] netfilter: ipset: refactor deprecated strncpy
Date: Thu, 10 Aug 2023 12:07:39 -0700 [thread overview]
Message-ID: <202308101206.35C628E5@keescook> (raw)
In-Reply-To: <q49499n7-54p3-1soo-8s83-7p84724o08p7@vanv.qr>
On Wed, Aug 09, 2023 at 11:54:48PM +0200, Jan Engelhardt wrote:
>
> On Wednesday 2023-08-09 23:40, Justin Stitt wrote:
> >On Wed, Aug 9, 2023 at 1:19 PM Florian Westphal <fw@strlen.de> wrote:
> >>
> >> Justin Stitt <justinstitt@google.com> wrote:
> >> > Use `strscpy_pad` instead of `strncpy`.
> >>
> >> I don't think that any of these need zero-padding.
> >It's a more consistent change with the rest of the series and I don't
> >believe it has much different behavior to `strncpy` (other than
> >NUL-termination) as that will continue to pad to `n` as well.
> >
> >Do you think the `_pad` for 1/7, 6/7 and 7/7 should be changed back to
> >`strscpy` in a v3? I really am shooting in the dark as it is quite
> >hard to tell whether or not a buffer is expected to be NUL-padded or
> >not.
>
> I don't recall either NF userspace or kernelspace code doing memcmp
> with name-like fields, so padding should not be strictly needed.
My only concern with padding is just to make sure any buffers copied to
userspace have been zeroed. I would need to take a close look at how
buffers are passed around here to know for sure...
--
Kees Cook
next prev parent reply other threads:[~2023-08-10 19:07 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-09 1:06 [PATCH v2 0/7] netfilter: refactor deprecated strncpy Justin Stitt
2023-08-09 1:06 ` [PATCH v2 1/7] netfilter: ipset: " Justin Stitt
2023-08-09 20:19 ` Florian Westphal
2023-08-09 21:40 ` Justin Stitt
2023-08-09 21:54 ` Jan Engelhardt
2023-08-10 19:07 ` Kees Cook [this message]
2023-08-09 21:58 ` Florian Westphal
2023-08-09 22:47 ` Justin Stitt
2023-08-09 1:06 ` [PATCH v2 2/7] netfilter: nf_tables: " Justin Stitt
2023-08-09 1:06 ` [PATCH v2 3/7] " Justin Stitt
2023-08-09 1:06 ` [PATCH v2 4/7] netfilter: nft_meta: " Justin Stitt
2023-08-09 1:06 ` [PATCH v2 5/7] netfilter: nft_osf: " Justin Stitt
2023-08-09 20:21 ` Florian Westphal
2023-08-09 1:06 ` [PATCH v2 6/7] netfilter: x_tables: " Justin Stitt
2023-08-09 20:20 ` Florian Westphal
2023-08-09 1:06 ` [PATCH v2 7/7] netfilter: xtables: " Justin Stitt
2023-08-09 20:20 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308101206.35C628E5@keescook \
--to=keescook@chromium.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=jengelh@inai.de \
--cc=justinstitt@google.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.