Re: [PATCH net-next 3/4] net: hns3: fix strncpy() not using dest-buf length as length issue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <simon.horman@corigine.com>
To: Hao Lan <lanhao@huawei.com>
Cc: netdev@vger.kernel.org, yisen.zhuang@huawei.com,
	salil.mehta@huawei.com, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, richardcochran@gmail.com,
	wangpeiyang1@huawei.com, shenjian15@huawei.com,
	chenhao418@huawei.com, wangjie125@huawei.com,
	yuanjilin@cdjrlc.com, cai.huoqing@linux.dev,
	xiujianfeng@huawei.com
Subject: Re: [PATCH net-next 3/4] net: hns3: fix strncpy() not using dest-buf length as length issue
Date: Tue, 16 May 2023 16:11:38 +0200	[thread overview]
Message-ID: <ZGOPGhF6w08CHr8j@corigine.com> (raw)
In-Reply-To: <55ca40e4-eae1-c037-7038-46160a76d5e8@huawei.com>

On Tue, May 16, 2023 at 09:09:45PM +0800, Hao Lan wrote:
> 
> 
> On 2023/5/16 3:57, Simon Horman wrote:
> > On Mon, May 15, 2023 at 09:46:42PM +0800, Hao Lan wrote:
> >> From: Hao Chen <chenhao418@huawei.com>
> >>
> >> Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length,
> >> it may result in dest-buf overflow.
> >>
> >> This patch is to fix intel compile warning for csky-linux-gcc (GCC) 12.1.0
> >> compiler.
> >>
> >> The warning reports as below:
> >>
> >> hclge_debugfs.c:92:25: warning: 'strncpy' specified bound depends on
> >> the length of the source argument [-Wstringop-truncation]
> >>
> >> strncpy(pos, items[i].name, strlen(items[i].name));
> >>
> >> hclge_debugfs.c:90:25: warning: 'strncpy' output truncated before
> >> terminating nul copying as many bytes from a string as its length
> >> [-Wstringop-truncation]
> >>
> >> strncpy(pos, result[i], strlen(result[i]));
> >>
> >> strncpy() use src-length as copy-length, it may result in
> >> dest-buf overflow.
> >>
> >> So,this patch add some values check to avoid this issue.
> >>
> >> Signed-off-by: Hao Chen <chenhao418@huawei.com>
> >> Reported-by: kernel test robot <lkp@intel.com>
> >> Closes: https://lore.kernel.org/lkml/202207170606.7WtHs9yS-lkp@intel.com/T/
> >> Signed-off-by: Hao Lan <lanhao@huawei.com>
> >> ---
> >>  .../ethernet/hisilicon/hns3/hns3_debugfs.c    | 31 ++++++++++++++-----
> >>  .../hisilicon/hns3/hns3pf/hclge_debugfs.c     | 29 ++++++++++++++---
> >>  2 files changed, 48 insertions(+), 12 deletions(-)
> >>
> >> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
> >> index 4c3e90a1c4d0..cf415cb37685 100644
> >> --- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
> >> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
> >> @@ -438,19 +438,36 @@ static void hns3_dbg_fill_content(char *content, u16 len,
> >>  				  const struct hns3_dbg_item *items,
> >>  				  const char **result, u16 size)
> >>  {
> >> +#define HNS3_DBG_LINE_END_LEN	2
> >>  	char *pos = content;
> >> +	u16 item_len;
> >>  	u16 i;
> >>  
> >> +	if (!len) {
> >> +		return;
> >> +	} else if (len <= HNS3_DBG_LINE_END_LEN) {
> >> +		*pos++ = '\0';
> >> +		return;
> >> +	}
> >> +
> >>  	memset(content, ' ', len);
> >> -	for (i = 0; i < size; i++) {
> >> -		if (result)
> >> -			strncpy(pos, result[i], strlen(result[i]));
> >> -		else
> >> -			strncpy(pos, items[i].name, strlen(items[i].name));
> >> +	len -= HNS3_DBG_LINE_END_LEN;
> >>  
> >> -		pos += strlen(items[i].name) + items[i].interval;
> >> +	for (i = 0; i < size; i++) {
> >> +		item_len = strlen(items[i].name) + items[i].interval;
> >> +		if (len < item_len)
> >> +			break;
> >> +
> >> +		if (result) {
> >> +			if (item_len < strlen(result[i]))
> >> +				break;
> >> +			memcpy(pos, result[i], strlen(result[i]));
> >> +		} else {
> >> +			memcpy(pos, items[i].name, strlen(items[i].name));
> > 
> > Hi,
> > 
> > The above memcpy() calls share the same property as the warning that
> > is being addressed: the length copied depends on the source not the
> > destination.
> > 
> > With the reworked code this seems safe. Which is good. But I wonder if,
> > given all the checking done, it makes sense to simply call strcpy() here.
> > Using strlen() as a length argument seems odd to me.
> > 
> Hi,
> Thanks for your review.
> 1. We think the memcpy is correct, our length copied depends on the source,
> or do I not understand you?
> void *memcpy(void *dest, const void *src, size_t count)
> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/lib/string.c#n619
> 
> 2. We don't know any other way to replace strlen. Do you have a better way for us?

My point is that strcpy() could be used here.
Because the source is a string, and the length of the copy
is the length of the source (string).

f.e., aren't the following functionally equivalent?

	memcpy(pos, result[i], strlen(result[i]));

	strcpy(pos, result[i])

In my view using strcpy here seems a bit simpler and therefore nicer.
But if you don't think so, that is fine.

...

next prev parent reply	other threads:[~2023-05-16 14:11 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-15 13:46 [PATCH net-next 0/4] net: hns3: There are some cleanup for the HNS3 ethernet driver Hao Lan
2023-05-15 13:46 ` [PATCH net-next 1/4] net: hns3: refine the tcam key convert handle Hao Lan
2023-05-15 15:51   ` Simon Horman
2023-05-15 20:04     ` Simon Horman
2023-05-15 13:46 ` [PATCH net-next 2/4] net: hns3: fix hns3 driver header file not self-contained issue Hao Lan
2023-05-15 20:02   ` Simon Horman
2023-05-16 13:12     ` Hao Lan
2023-05-16 14:12       ` Simon Horman
2023-05-15 13:46 ` [PATCH net-next 3/4] net: hns3: fix strncpy() not using dest-buf length as length issue Hao Lan
2023-05-15 19:57   ` Simon Horman
2023-05-16 13:09     ` Hao Lan
2023-05-16 14:11       ` Simon Horman [this message]
2023-05-16 15:35         ` Hao Lan
2023-05-16 19:05           ` Simon Horman
2023-05-15 13:46 ` [PATCH net-next 4/4] net: hns3: clear hns unused parameter alarm Hao Lan
2023-05-15 20:01   ` Simon Horman
2023-05-16 12:22     ` Hao Lan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZGOPGhF6w08CHr8j@corigine.com \
    --to=simon.horman@corigine.com \
    --cc=cai.huoqing@linux.dev \
    --cc=chenhao418@huawei.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=lanhao@huawei.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=richardcochran@gmail.com \
    --cc=salil.mehta@huawei.com \
    --cc=shenjian15@huawei.com \
    --cc=wangjie125@huawei.com \
    --cc=wangpeiyang1@huawei.com \
    --cc=xiujianfeng@huawei.com \
    --cc=yisen.zhuang@huawei.com \
    --cc=yuanjilin@cdjrlc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.