From: Fan Du <fan.du@windriver.com>
To: David Laight <David.Laight@aculab.com>
Cc: Sohny Thomas <sthomas@linux.vnet.ibm.com>,
<stephen@networkplumber.org>, <netdev@vger.kernel.org>
Subject: Re: [PATCH] {iproute2, xfrm}: Use memcpy to suppress gcc phony buffer overflow warning
Date: Tue, 8 Oct 2013 09:22:22 +0800 [thread overview]
Message-ID: <52535E4E.2090804@windriver.com> (raw)
In-Reply-To: <AE90C24D6B3A694183C094C60CF0A2F6026B7368@saturn3.aculab.com>
Back from vacation, sorry for the late reply.
On 2013年09月30日 17:29, David Laight wrote:
>>> This is a false positive warning as the destination pointer "buf"
>>> pointers to
>>> an ZERO length array, which actually will occupy alg.buf mostly.
>>> Fix this by using memcpy.
>>>
>>> struct xfrm_algo {
>>> char alg_name[64];
>>> unsigned int alg_key_len; /* in bits */
>>> char alg_key[0];
>>> };
>>>
>>> struct {
>>> union {
>>> struct xfrm_algo alg;
>>> struct xfrm_algo_aead aead;
>>> struct xfrm_algo_auth auth;
>>> } u;
>>> char buf[XFRM_ALGO_KEY_BUF_SIZE];
>>> } alg = {};
>>>
>>> buf = alg.u.alg.alg_key;
>
> That is worse than horrid...
> The tools have every right to complain about any accesses to alg_key[].
Only when using strcpy, because a build in checking inserted in this function.
>>> ---
>>> ip/xfrm_state.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
>>> index 0d98e78..5cc87d3 100644
>>> --- a/ip/xfrm_state.c
>>> +++ b/ip/xfrm_state.c
>>> @@ -159,7 +159,7 @@ static int xfrm_algo_parse(struct xfrm_algo *alg,
>>> enum xfrm_attr_type_t type,
>>> if (len> max)
>>> invarg("\"ALGO-KEY\" makes buffer overflow\n", key);
>
> I presume there is a return hiding in invarg().
Good guess :)
>>>
>>> - strncpy(buf, key, len);
>>> + memcpy(buf, key, len);
>
> Passing the length of the SOURCE to strncpy() is almost always wrong.
> You are still not terminating the copied string.
Don't worry.
The length using here has been increased by 1 at the beginning of the function,
so the copied string to the destination is terminated well.
> David
>
>
--
浮沉随浪只记今朝笑
--fan
next prev parent reply other threads:[~2013-10-08 1:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <524411AE.7000404@linux.vnet.ibm.com>
2013-09-26 18:32 ` [PATCH] iproute2: xfrm state add abort issue Sohny Thomas
2013-09-27 8:26 ` David Laight
2013-09-28 13:24 ` Sohny Thomas
2013-09-29 1:49 ` [PATCH] {iproute2, xfrm}: Use memcpy to suppress gcc phony buffer overflow warning Fan Du
2013-09-29 3:21 ` Sohny Thomas
2013-09-30 9:29 ` David Laight
2013-10-08 1:22 ` Fan Du [this message]
2013-10-01 4:10 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52535E4E.2090804@windriver.com \
--to=fan.du@windriver.com \
--cc=David.Laight@aculab.com \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=sthomas@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.