Re: [PATCH net v2] selftests: net: fix "buffer overflow detected" for tap.c

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: "Alice C. Munduruca" <alice.munduruca@canonical.com>,
	 netdev@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org,
	 "Alice C. Munduruca" <alice.munduruca@canonical.com>,
	 "David S. Miller" <davem@davemloft.net>,
	 Eric Dumazet <edumazet@google.com>,
	 Jakub Kicinski <kuba@kernel.org>,
	 Paolo Abeni <pabeni@redhat.com>,
	 Simon Horman <horms@kernel.org>,  Shuah Khan <shuah@kernel.org>,
	 Willem de Bruijn <willemb@google.com>
Subject: Re: [PATCH net v2] selftests: net: fix "buffer overflow detected" for tap.c
Date: Fri, 12 Dec 2025 14:18:25 -0500	[thread overview]
Message-ID: <willemdebruijn.kernel.1702e18dd0a@gmail.com> (raw)
In-Reply-To: <20251212144921.16915-1-alice.munduruca@canonical.com>

Alice C. Munduruca wrote:
> When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3', the
> strcpy() in rtattr_add_strsz() is replaced with a checked version which
> causes the test to consistently fail when compiled with toolchains for
> which this option is enabled by default.
> 
>  TAP version 13
>  1..3
>  # Starting 3 tests from 1 test cases.
>  #  RUN           tap.test_packet_valid_udp_gso ...
>  *** buffer overflow detected ***: terminated
>  # test_packet_valid_udp_gso: Test terminated by assertion
>  #          FAIL  tap.test_packet_valid_udp_gso
>  not ok 1 tap.test_packet_valid_udp_gso
>  #  RUN           tap.test_packet_valid_udp_csum ...
>  *** buffer overflow detected ***: terminated
>  # test_packet_valid_udp_csum: Test terminated by assertion
>  #          FAIL  tap.test_packet_valid_udp_csum
>  not ok 2 tap.test_packet_valid_udp_csum
>  #  RUN           tap.test_packet_crash_tap_invalid_eth_proto ...
>  *** buffer overflow detected ***: terminated
>  # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
>  #          FAIL  tap.test_packet_crash_tap_invalid_eth_proto
>  not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
>  # FAILED: 0 / 3 tests passed.
>  # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
> 
> A buffer overflow is detected by the fortified glibc __strcpy_chk()
> since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
> reported as 1, even though there is ample space in its bounding buffer
> `req`.
> 
> Using the unchecked function memcpy() here instead allows us to match
> the way rtattr_add_str() is written while avoiding the spurious test
> failure.
> 
> Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver")
> Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
> ---
>  tools/testing/selftests/net/tap.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c
> index 247c3b3ac1c9..dd961b629295 100644
> --- a/tools/testing/selftests/net/tap.c
> +++ b/tools/testing/selftests/net/tap.c
> @@ -67,7 +67,7 @@ static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type,
>  {
>  	struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1);
>  
> -	strcpy(RTA_DATA(rta), s);
> +	memcpy(RTA_DATA(rta), s, strlen(s) + 1);

Could call strlen(s) only once in the function.

Why does rtattr_add_str do the same without the terminating '\0'?
It is only used with IFNAME so assumes max size of IFNAMSIZ perhaps?
>  	return rta;
>  }
>  
> -- 
> 2.48.1
>

next prev parent reply	other threads:[~2025-12-12 19:18 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-12 14:49 [PATCH net v2] selftests: net: fix "buffer overflow detected" for tap.c Alice C. Munduruca
2025-12-12 19:18 ` Willem de Bruijn [this message]
2025-12-15 16:22   ` Alice C. Munduruca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=willemdebruijn.kernel.1702e18dd0a@gmail.com \
    --to=willemdebruijn.kernel@gmail.com \
    --cc=alice.munduruca@canonical.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=shuah@kernel.org \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.