From: Dan Carpenter <dan.carpenter@oracle.com>
To: Joe Perches <joe@perches.com>
Cc: Karsten Keil <isdn@linux-pingi.de>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] isdn: icn: buffer overflow in icn_command()
Date: Wed, 16 Apr 2014 14:16:53 +0300 [thread overview]
Message-ID: <20140416111653.GF4963@mwanda> (raw)
In-Reply-To: <1397490748.2803.18.camel@joe-AO722>
On Mon, Apr 14, 2014 at 08:52:28AM -0700, Joe Perches wrote:
> On Mon, 2014-04-14 at 11:07 +0300, Dan Carpenter wrote:
> > The cbuf[] buffer is 60 characters but we're putting a potential 79
> > characters and a NUL into it. I've made it 80 characters and changed
> > the sprintf() to snprintf().
> []
> > @@ -1309,7 +1309,6 @@ icn_command(isdn_ctrl *c, icn_card *card)
> > break;
> > if ((c->arg & 255) < ICN_BCH) {
> > char *p;
> > - char dial[50];
> > char dcode[4];
>
> The change log does not mentioned removal of dial.
>
Oops. Sorry about that.
> As this subsystem likely has 0 active users, perhaps
> making the minimal correctness change might be better.
>
> Also, if making other changes, perhaps it'd be better
> to similarly replace dcode with a pointer as well.
I thought about that when I was writing the patch, but I wanted to make
minimal changes. The dial change is necessary because static checkers
would assume we are using all 50 characters of the dial[] buffer instead
of just the first 32.
>
> > @@ -1321,10 +1320,10 @@ icn_command(isdn_ctrl *c, icn_card *card)
> > } else
> > /* Normal Dial */
> > strcpy(dcode, "CAL");
> > - strcpy(dial, p);
> > - sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
> > - dcode, dial, c->parm.setup.si1,
> > - c->parm.setup.si2, c->parm.setup.eazmsn);
> > + snprintf(cbuf, sizeof(cbuf),
> > + "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
> > + dcode, p, c->parm.setup.si1,
> > + c->parm.setup.si2, c->parm.setup.eazmsn);
> > i = icn_writecmd(cbuf, strlen(cbuf), 0, card);
>
> Maybe save the snprintf result length and use it
> in icn_writecmd too.
>
snprintf() returns the number of bytes which would have been printed if
there were enough space and not the number of bytes in the string.
Using the value from snprintf() would not introduce a bug because I have
carefully counted the number of bytes in the output string, but it would
hopefully annoy human auditors of this code. ;) You are thinking of
scnprintf().
I'm going to apply your minimal changes suggestion here.
regards,
dan carpenter
next prev parent reply other threads:[~2014-04-16 11:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-14 8:07 [patch] isdn: icn: buffer overflow in icn_command() Dan Carpenter
2014-04-14 15:52 ` Joe Perches
2014-04-16 11:16 ` Dan Carpenter [this message]
2014-04-16 11:47 ` Joe Perches
2014-04-16 11:25 ` [patch v2] " Dan Carpenter
2014-04-16 12:10 ` walter harms
2014-04-16 19:24 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140416111653.GF4963@mwanda \
--to=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=isdn@linux-pingi.de \
--cc=joe@perches.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).