From: Will Deacon <will.deacon@arm.com>
To: "G. Campana" <gcampana+kvm@quarkslab.com>
Cc: kvm@vger.kernel.org, andre.przywara@arm.com
Subject: Re: [PATCH 3/7] kvmtool: fix strcpy vulnerabilities
Date: Thu, 17 Nov 2016 15:30:07 +0000 [thread overview]
Message-ID: <20161117153007.GK22855@arm.com> (raw)
In-Reply-To: <a8ff6382-fc0f-c21b-f8eb-96d19060dd57@quarkslab.com>
On Thu, Nov 10, 2016 at 04:15:12PM +0100, G. Campana wrote:
> On 08/11/2016 03:08, Will Deacon wrote:
> > On Tue, Oct 18, 2016 at 06:02:52PM +0200, G. Campana wrote:
> >> ---
> >> virtio/9p.c | 60 +++++++++++++++++++++++++++++++++++++++++++-----------------
> >> 1 file changed, 43 insertions(+), 17 deletions(-)
> >>
> >> diff --git a/virtio/9p.c b/virtio/9p.c
> >> index 9695540..cd93d06 100644
> >> --- a/virtio/9p.c
> >> +++ b/virtio/9p.c
> >> @@ -28,6 +28,7 @@ static struct p9_fid *find_or_create_fid(struct p9_dev *dev, u32 fid)
> >> {
> >> struct rb_node *node = dev->fids.rb_node;
> >> struct p9_fid *pfid = NULL;
> >> + size_t len;
> >>
> >> while (node) {
> >> struct p9_fid *cur = rb_entry(node, struct p9_fid, node);
> >> @@ -45,9 +46,15 @@ static struct p9_fid *find_or_create_fid(struct p9_dev *dev, u32 fid)
> >> if (!pfid)
> >> return NULL;
> >>
> >> + len = strlen(dev->root_dir);
> >> + if (len >= sizeof(pfid->path)) {
> >> + free(pfid);
> >> + return NULL;
> >> + }
> >
> > This doesn't make sense to me -- pfid->path is just a NULL ptr at this
> > stage. Did you mean abs_path?
> >
> Good catch. Indeed, I meant abs_path.
>
> >> +
> >> pfid->fid = fid;
> >> - strcpy(pfid->abs_path, dev->root_dir);
> >> - pfid->path = pfid->abs_path + strlen(dev->root_dir);
> >> + strncpy(pfid->abs_path, dev->root_dir, sizeof(pfid->abs_path));
> >
> > But if you did mean abs_path, why use strncpy here?
> >
> It ensures that the string is null terminated.
Given that we already did a strlen on root_dir, and we know that abs_path
is big enough to hold it, I still think this isn't needed.
Will
next prev parent reply other threads:[~2016-11-17 17:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-18 16:02 [PATCH 3/7] kvmtool: fix strcpy vulnerabilities G. Campana
2016-11-08 2:08 ` Will Deacon
2016-11-10 15:15 ` G. Campana
2016-11-17 15:30 ` Will Deacon [this message]
2016-11-18 15:33 ` G. Campana
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161117153007.GK22855@arm.com \
--to=will.deacon@arm.com \
--cc=andre.przywara@arm.com \
--cc=gcampana+kvm@quarkslab.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).