From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net 0/6] net: better validate user provided tunnel names Date: Thu, 05 Apr 2018 15:21:11 -0400 (EDT) Message-ID: <20180405.152111.2211916878014180558.davem@davemloft.net> References: <20180405133931.207634-1-edumazet@google.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, steffen.klassert@secunet.com, eric.dumazet@gmail.com To: edumazet@google.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:59486 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752444AbeDETVO (ORCPT ); Thu, 5 Apr 2018 15:21:14 -0400 In-Reply-To: <20180405133931.207634-1-edumazet@google.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Eric Dumazet Date: Thu, 5 Apr 2018 06:39:25 -0700 > This series changes dev_valid_name() to not attempt reading > a possibly too long user-provided device name, then use > this helper in five different tunnel providers. Series applied and queued up for -stable, thanks Eric. Reading over this series makes me wonder if we generally have an off-by-one bug for device names which are exactly IFNAMSIZ. We validate the size using the test: if (strlen(name) >= IFNAMSIZ) return ERROR; and thusly after Eric's changes: if (strnlen(name, IFNAMSIZ) == IFNAMSIZ) return ERROR; This value computed by str{,n}len() doesn't include the trailing null byte. So we will accept a name that has exactly IFNAMSIZ bytes long not including the trailing null. Then we will copy IFNAMSIZ bytes, minus 1, into the device name and then tack on the trailling null byte. So essentially we will set the final non-null byte in the string to a null byte. Am I misreading things?