From: Dominique Martinet <asmadeus@codewreck.org>
To: Andrea Claudi <aclaudi@redhat.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>,
Stephen Hemminger <stephen@networkplumber.org>,
linux-netdev <netdev@vger.kernel.org>,
David Ahern <dsahern@gmail.com>,
daniel@iogearbox.net, Jamal Hadi Salim <hadi@mojatatu.com>
Subject: Re: [PATCH iproute2 v2 1/2] bpf: Fix segfault when custom pinning is used
Date: Wed, 22 Apr 2020 16:43:19 +0200 [thread overview]
Message-ID: <20200422144319.GA25914@nautica> (raw)
In-Reply-To: <CAPpH65zpv6xD08KK-Gjwx4LxNsViu6Jy2DXgQ+inUodoE5Uhgw@mail.gmail.com>
Andrea Claudi wrote on Wed, Apr 22, 2020:
> > - ret = asprintf(&tmp, "%s/../", bpf_get_work_dir(ctx->type));
> > + ret = snprintf(tmp, PATH_MAX, "%s/../", bpf_get_work_dir(ctx->type));
>
> Shouldn't we check for the last argument length before? We should have
> enough space for "/../" and the terminator, so we need the last
> argument length to be less than PATH_MAX-5, right?
snprintf will return the length that would be written if there had been
room so most codes just check the return value instead (something like
if (ret >= sizeof(tmp)) error)
OTOH this will actually be caught by the later strcat guard, because rem
will always contain at least on / the while will always be entered and
strlen(tmp) + (>=0) + 2 will always be > PATH_MAX, so this function will
error out.
I'll admit it's not clear, though :)
I'm actually not sure snprintf can return < 0... wide character
formatting functions can but basic ones not really, there's hardly any
snprintf return checking in iproute2 code...
Anyway, with all that said this patch currently technically works for
me, despite being not so clear, so can add my reviewed-by on whatever
final version you take (check < 0 or >= PATH_MAX or none or both), if
you'd like :)
--
Dominique
next prev parent reply other threads:[~2020-04-22 14:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 10:28 [PATCH iproute2 v2 0/2] bpf: memory access fixes Jamal Hadi Salim
2020-04-22 10:28 ` [PATCH iproute2 v2 1/2] bpf: Fix segfault when custom pinning is used Jamal Hadi Salim
2020-04-22 12:24 ` Andrea Claudi
2020-04-22 14:43 ` Dominique Martinet [this message]
2020-04-22 17:07 ` Jamal Hadi Salim
2020-04-22 16:35 ` Stephen Hemminger
2020-04-22 17:19 ` Jamal Hadi Salim
2020-04-23 6:30 ` Dominique Martinet
2020-04-23 17:46 ` Jamal Hadi Salim
2020-04-22 10:28 ` [PATCH iproute2 v2 2/2] bpf: Fix mem leak and extraneous free() in error path Jamal Hadi Salim
2020-04-22 14:44 ` Dominique Martinet
2020-04-30 5:40 ` [PATCH iproute2 v2 0/2] bpf: memory access fixes Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200422144319.GA25914@nautica \
--to=asmadeus@codewreck.org \
--cc=aclaudi@redhat.com \
--cc=daniel@iogearbox.net \
--cc=dsahern@gmail.com \
--cc=hadi@mojatatu.com \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).