* [Suggestion] net/tipc: can delete checking: (if_local_len > TIPC_MAX_IF_NAME) || (if_peer_len > TIPC_MAX_IF_NAME)
@ 2012-11-20 4:08 Chen Gang
2012-11-20 5:19 ` Xue Ying
0 siblings, 1 reply; 6+ messages in thread
From: Chen Gang @ 2012-11-20 4:08 UTC (permalink / raw)
To: David Miller; +Cc: Shan Wei, Eric Dumazet, netdev
Hello David Miller:
at net/tipc/link.c:212,213, we can delete the check (if_local_len > TIPC_MAX_IF_NAME) and (if_peer_len > TIPC_MAX_IF_NAME)
for the total buffer length is no more than TIPC_MAX_IF_NAME, already (at line 182..186).
suggest to modify it, although it is minor.
thanks.
167 static int link_name_validate(const char *name,
168 struct tipc_link_name *name_parts)
169 {
170 char name_copy[TIPC_MAX_LINK_NAME];
171 char *addr_local;
172 char *if_local;
173 char *addr_peer;
174 char *if_peer;
175 char dummy;
176 u32 z_local, c_local, n_local;
177 u32 z_peer, c_peer, n_peer;
178 u32 if_local_len;
179 u32 if_peer_len;
180
181 /* copy link name & ensure length is OK */
182 name_copy[TIPC_MAX_LINK_NAME - 1] = 0;
183 /* need above in case non-Posix strncpy() doesn't pad with nulls */
184 strncpy(name_copy, name, TIPC_MAX_LINK_NAME);
185 if (name_copy[TIPC_MAX_LINK_NAME - 1] != 0)
186 return 0;
187
188 /* ensure all component parts of link name are present */
189 addr_local = name_copy;
190 if_local = strchr(addr_local, ':');
191 if (if_local == NULL)
192 return 0;
193 *(if_local++) = 0;
194 addr_peer = strchr(if_local, '-');
195 if (addr_peer == NULL)
196 return 0;
197 *(addr_peer++) = 0;
198 if_local_len = addr_peer - if_local;
199 if_peer = strchr(addr_peer, ':');
200 if (if_peer == NULL)
201 return 0;
202 *(if_peer++) = 0;
203 if_peer_len = strlen(if_peer) + 1;
204
205 /* validate component parts of link name */
206 if ((sscanf(addr_local, "%u.%u.%u%c",
207 &z_local, &c_local, &n_local, &dummy) != 3) ||
208 (sscanf(addr_peer, "%u.%u.%u%c",
209 &z_peer, &c_peer, &n_peer, &dummy) != 3) ||
210 (z_local > 255) || (c_local > 4095) || (n_local > 4095) ||
211 (z_peer > 255) || (c_peer > 4095) || (n_peer > 4095) ||
212 (if_local_len <= 1) || (if_local_len > TIPC_MAX_IF_NAME) ||
213 (if_peer_len <= 1) || (if_peer_len > TIPC_MAX_IF_NAME))
214 return 0;
215
216 /* return link name components, if necessary */
217 if (name_parts) {
218 name_parts->addr_local = tipc_addr(z_local, c_local, n_local);
219 strcpy(name_parts->if_local, if_local);
220 name_parts->addr_peer = tipc_addr(z_peer, c_peer, n_peer);
221 strcpy(name_parts->if_peer, if_peer);
222 }
223 return 1;
224 }
--
Chen Gang
Asianux Corporation
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Suggestion] net/tipc: can delete checking: (if_local_len > TIPC_MAX_IF_NAME) || (if_peer_len > TIPC_MAX_IF_NAME)
2012-11-20 4:08 [Suggestion] net/tipc: can delete checking: (if_local_len > TIPC_MAX_IF_NAME) || (if_peer_len > TIPC_MAX_IF_NAME) Chen Gang
@ 2012-11-20 5:19 ` Xue Ying
2012-11-20 5:25 ` Chen Gang
2012-11-20 8:47 ` [Suggestion] net/netfilter: strcpy for timeout->name Chen Gang
0 siblings, 2 replies; 6+ messages in thread
From: Xue Ying @ 2012-11-20 5:19 UTC (permalink / raw)
To: Chen Gang; +Cc: David Miller, Shan Wei, Eric Dumazet, netdev
Chen Gang wrote:
> Hello David Miller:
>
> at net/tipc/link.c:212,213, we can delete the check (if_local_len > TIPC_MAX_IF_NAME) and (if_peer_len > TIPC_MAX_IF_NAME)
> for the total buffer length is no more than TIPC_MAX_IF_NAME, already (at line 182..186).
>
>
The length of name_copy array is TIPC_MAX_LINK_NAME(i.e, 60) while
TIPC_MAX_IF_NAME is defined to 16, why does the former is more than the
latter?
Regards,
Ying
> suggest to modify it, although it is minor.
>
> thanks.
>
>
> 167 static int link_name_validate(const char *name,
> 168 struct tipc_link_name *name_parts)
> 169 {
> 170 char name_copy[TIPC_MAX_LINK_NAME];
> 171 char *addr_local;
> 172 char *if_local;
> 173 char *addr_peer;
> 174 char *if_peer;
> 175 char dummy;
> 176 u32 z_local, c_local, n_local;
> 177 u32 z_peer, c_peer, n_peer;
> 178 u32 if_local_len;
> 179 u32 if_peer_len;
> 180
> 181 /* copy link name & ensure length is OK */
> 182 name_copy[TIPC_MAX_LINK_NAME - 1] = 0;
> 183 /* need above in case non-Posix strncpy() doesn't pad with nulls */
> 184 strncpy(name_copy, name, TIPC_MAX_LINK_NAME);
> 185 if (name_copy[TIPC_MAX_LINK_NAME - 1] != 0)
> 186 return 0;
> 187
> 188 /* ensure all component parts of link name are present */
> 189 addr_local = name_copy;
> 190 if_local = strchr(addr_local, ':');
> 191 if (if_local == NULL)
> 192 return 0;
> 193 *(if_local++) = 0;
> 194 addr_peer = strchr(if_local, '-');
> 195 if (addr_peer == NULL)
> 196 return 0;
> 197 *(addr_peer++) = 0;
> 198 if_local_len = addr_peer - if_local;
> 199 if_peer = strchr(addr_peer, ':');
> 200 if (if_peer == NULL)
> 201 return 0;
> 202 *(if_peer++) = 0;
> 203 if_peer_len = strlen(if_peer) + 1;
> 204
> 205 /* validate component parts of link name */
> 206 if ((sscanf(addr_local, "%u.%u.%u%c",
> 207 &z_local, &c_local, &n_local, &dummy) != 3) ||
> 208 (sscanf(addr_peer, "%u.%u.%u%c",
> 209 &z_peer, &c_peer, &n_peer, &dummy) != 3) ||
> 210 (z_local > 255) || (c_local > 4095) || (n_local > 4095) ||
> 211 (z_peer > 255) || (c_peer > 4095) || (n_peer > 4095) ||
> 212 (if_local_len <= 1) || (if_local_len > TIPC_MAX_IF_NAME) ||
> 213 (if_peer_len <= 1) || (if_peer_len > TIPC_MAX_IF_NAME))
> 214 return 0;
> 215
> 216 /* return link name components, if necessary */
> 217 if (name_parts) {
> 218 name_parts->addr_local = tipc_addr(z_local, c_local, n_local);
> 219 strcpy(name_parts->if_local, if_local);
> 220 name_parts->addr_peer = tipc_addr(z_peer, c_peer, n_peer);
> 221 strcpy(name_parts->if_peer, if_peer);
> 222 }
> 223 return 1;
> 224 }
>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Suggestion] net/tipc: can delete checking: (if_local_len > TIPC_MAX_IF_NAME) || (if_peer_len > TIPC_MAX_IF_NAME)
2012-11-20 5:19 ` Xue Ying
@ 2012-11-20 5:25 ` Chen Gang
2012-11-20 8:47 ` [Suggestion] net/netfilter: strcpy for timeout->name Chen Gang
1 sibling, 0 replies; 6+ messages in thread
From: Chen Gang @ 2012-11-20 5:25 UTC (permalink / raw)
To: Xue Ying; +Cc: David Miller, Shan Wei, Eric Dumazet, netdev
于 2012年11月20日 13:19, Xue Ying 写道:
> Chen Gang wrote:
>> Hello David Miller:
>>
>> at net/tipc/link.c:212,213, we can delete the check (if_local_len > TIPC_MAX_IF_NAME) and (if_peer_len > TIPC_MAX_IF_NAME)
>> for the total buffer length is no more than TIPC_MAX_IF_NAME, already (at line 182..186).
>>
>>
>
> The length of name_copy array is TIPC_MAX_LINK_NAME(i.e, 60) while
> TIPC_MAX_IF_NAME is defined to 16, why does the former is more than the
> latter?
>
> Regards,
> Ying
>
It is my fault. thanks.
Regards,
gchen
>> suggest to modify it, although it is minor.
>>
>> thanks.
>>
>>
>> 167 static int link_name_validate(const char *name,
>> 168 struct tipc_link_name *name_parts)
>> 169 {
>> 170 char name_copy[TIPC_MAX_LINK_NAME];
>> 171 char *addr_local;
>> 172 char *if_local;
>> 173 char *addr_peer;
>> 174 char *if_peer;
>> 175 char dummy;
>> 176 u32 z_local, c_local, n_local;
>> 177 u32 z_peer, c_peer, n_peer;
>> 178 u32 if_local_len;
>> 179 u32 if_peer_len;
>> 180
>> 181 /* copy link name & ensure length is OK */
>> 182 name_copy[TIPC_MAX_LINK_NAME - 1] = 0;
>> 183 /* need above in case non-Posix strncpy() doesn't pad with nulls */
>> 184 strncpy(name_copy, name, TIPC_MAX_LINK_NAME);
>> 185 if (name_copy[TIPC_MAX_LINK_NAME - 1] != 0)
>> 186 return 0;
>> 187
>> 188 /* ensure all component parts of link name are present */
>> 189 addr_local = name_copy;
>> 190 if_local = strchr(addr_local, ':');
>> 191 if (if_local == NULL)
>> 192 return 0;
>> 193 *(if_local++) = 0;
>> 194 addr_peer = strchr(if_local, '-');
>> 195 if (addr_peer == NULL)
>> 196 return 0;
>> 197 *(addr_peer++) = 0;
>> 198 if_local_len = addr_peer - if_local;
>> 199 if_peer = strchr(addr_peer, ':');
>> 200 if (if_peer == NULL)
>> 201 return 0;
>> 202 *(if_peer++) = 0;
>> 203 if_peer_len = strlen(if_peer) + 1;
>> 204
>> 205 /* validate component parts of link name */
>> 206 if ((sscanf(addr_local, "%u.%u.%u%c",
>> 207 &z_local, &c_local, &n_local, &dummy) != 3) ||
>> 208 (sscanf(addr_peer, "%u.%u.%u%c",
>> 209 &z_peer, &c_peer, &n_peer, &dummy) != 3) ||
>> 210 (z_local > 255) || (c_local > 4095) || (n_local > 4095) ||
>> 211 (z_peer > 255) || (c_peer > 4095) || (n_peer > 4095) ||
>> 212 (if_local_len <= 1) || (if_local_len > TIPC_MAX_IF_NAME) ||
>> 213 (if_peer_len <= 1) || (if_peer_len > TIPC_MAX_IF_NAME))
>> 214 return 0;
>> 215
>> 216 /* return link name components, if necessary */
>> 217 if (name_parts) {
>> 218 name_parts->addr_local = tipc_addr(z_local, c_local, n_local);
>> 219 strcpy(name_parts->if_local, if_local);
>> 220 name_parts->addr_peer = tipc_addr(z_peer, c_peer, n_peer);
>> 221 strcpy(name_parts->if_peer, if_peer);
>> 222 }
>> 223 return 1;
>> 224 }
>>
>>
>>
>>
>
>
>
--
Chen Gang
Asianux Corporation
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Suggestion] net/netfilter: strcpy for timeout->name
2012-11-20 5:19 ` Xue Ying
2012-11-20 5:25 ` Chen Gang
@ 2012-11-20 8:47 ` Chen Gang
2012-11-21 11:39 ` Florian Westphal
1 sibling, 1 reply; 6+ messages in thread
From: Chen Gang @ 2012-11-20 8:47 UTC (permalink / raw)
To: Xue Ying, David Miller; +Cc: Shan Wei, Eric Dumazet, netdev
Hello Xue Ying, David Miller:
Please help checking net/netfilter/nfnetlink_cttimeout.c:
I suggest, we use strncpy instead of strcpy at line 143.
just like we have already used strncmp at line 94.
after checking the calling work flow:
the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side.
one of calling work flows is:
netlink_unicast -> netlink_unicast_kernel -> nfnetlink_rcv -> netlink_rcv_skb
-> nfnetlink_rcv_msg -> cttimeout_new_timeout
thanks.
gchen.
70 static int
71 cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
72 const struct nlmsghdr *nlh,
73 const struct nlattr * const cda[])
74 {
75 __u16 l3num;
76 __u8 l4num;
77 struct nf_conntrack_l4proto *l4proto;
78 struct ctnl_timeout *timeout, *matching = NULL;
79 struct net *net = sock_net(skb->sk);
80 char *name;
81 int ret;
82
83 if (!cda[CTA_TIMEOUT_NAME] ||
84 !cda[CTA_TIMEOUT_L3PROTO] ||
85 !cda[CTA_TIMEOUT_L4PROTO] ||
86 !cda[CTA_TIMEOUT_DATA])
87 return -EINVAL;
88
89 name = nla_data(cda[CTA_TIMEOUT_NAME]);
90 l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
91 l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
92
93 list_for_each_entry(timeout, &cttimeout_list, head) {
94 if (strncmp(timeout->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
95 continue;
96
97 if (nlh->nlmsg_flags & NLM_F_EXCL)
98 return -EEXIST;
99
100 matching = timeout;
101 break;
102 }
103
104 l4proto = nf_ct_l4proto_find_get(l3num, l4num);
105
106 /* This protocol is not supportted, skip. */
107 if (l4proto->l4proto != l4num) {
108 ret = -EOPNOTSUPP;
109 goto err_proto_put;
110 }
111
112 if (matching) {
113 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
114 /* You cannot replace one timeout policy by another of
115 * different kind, sorry.
116 */
117 if (matching->l3num != l3num ||
118 matching->l4proto->l4proto != l4num) {
119 ret = -EINVAL;
120 goto err_proto_put;
121 }
122
123 ret = ctnl_timeout_parse_policy(matching, l4proto, net,
124 cda[CTA_TIMEOUT_DATA]);
125 return ret;
126 }
127 ret = -EBUSY;
128 goto err_proto_put;
129 }
130
131 timeout = kzalloc(sizeof(struct ctnl_timeout) +
132 l4proto->ctnl_timeout.obj_size, GFP_KERNEL);
133 if (timeout == NULL) {
134 ret = -ENOMEM;
135 goto err_proto_put;
136 }
137
138 ret = ctnl_timeout_parse_policy(timeout, l4proto, net,
139 cda[CTA_TIMEOUT_DATA]);
140 if (ret < 0)
141 goto err;
142
143 strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME]));
144 timeout->l3num = l3num;
145 timeout->l4proto = l4proto;
146 atomic_set(&timeout->refcnt, 1);
147 list_add_tail_rcu(&timeout->head, &cttimeout_list);
148
149 return 0;
150 err:
151 kfree(timeout);
152 err_proto_put:
153 nf_ct_l4proto_put(l4proto);
154 return ret;
155 }
156
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Suggestion] net/netfilter: strcpy for timeout->name
2012-11-20 8:47 ` [Suggestion] net/netfilter: strcpy for timeout->name Chen Gang
@ 2012-11-21 11:39 ` Florian Westphal
2012-11-21 12:17 ` Chen Gang
0 siblings, 1 reply; 6+ messages in thread
From: Florian Westphal @ 2012-11-21 11:39 UTC (permalink / raw)
To: Chen Gang; +Cc: Xue Ying, David Miller, Shan Wei, Eric Dumazet, netdev
Chen Gang <gang.chen@asianux.com> wrote:
> Please help checking net/netfilter/nfnetlink_cttimeout.c:
> I suggest, we use strncpy instead of strcpy at line 143.
> just like we have already used strncmp at line 94.
[..]
> after checking the calling work flow:
> the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side.
Good catch, classic buffer overflow.
I've sent a patch to add the missing "len" policy. Thanks for reporting
this bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Suggestion] net/netfilter: strcpy for timeout->name
2012-11-21 11:39 ` Florian Westphal
@ 2012-11-21 12:17 ` Chen Gang
0 siblings, 0 replies; 6+ messages in thread
From: Chen Gang @ 2012-11-21 12:17 UTC (permalink / raw)
To: Florian Westphal; +Cc: Xue Ying, David Miller, Shan Wei, Eric Dumazet, netdev
于 2012年11月21日 19:39, Florian Westphal 写道:
> Chen Gang <gang.chen@asianux.com> wrote:
>> Please help checking net/netfilter/nfnetlink_cttimeout.c:
>> I suggest, we use strncpy instead of strcpy at line 143.
>> just like we have already used strncmp at line 94.
> [..]
>> after checking the calling work flow:
>> the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side.
>
> Good catch, classic buffer overflow.
>
> I've sent a patch to add the missing "len" policy. Thanks for reporting
> this bug.
thank you for your reply, too.
regard
gchen
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
Chen Gang
Asianux Corporation
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-11-21 12:16 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-20 4:08 [Suggestion] net/tipc: can delete checking: (if_local_len > TIPC_MAX_IF_NAME) || (if_peer_len > TIPC_MAX_IF_NAME) Chen Gang
2012-11-20 5:19 ` Xue Ying
2012-11-20 5:25 ` Chen Gang
2012-11-20 8:47 ` [Suggestion] net/netfilter: strcpy for timeout->name Chen Gang
2012-11-21 11:39 ` Florian Westphal
2012-11-21 12:17 ` Chen Gang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).