From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
Chuck Lever <chuck.lever@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-nfs@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 213/330] SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()'
Date: Thu, 17 Sep 2020 21:59:13 -0400 [thread overview]
Message-ID: <20200918020110.2063155-213-sashal@kernel.org> (raw)
In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org>
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit b25b60d7bfb02a74bc3c2d998e09aab159df8059 ]
'maxlen' is the total size of the destination buffer. There is only one
caller and this value is 256.
When we compute the size already used and what we would like to add in
the buffer, the trailling NULL character is not taken into account.
However, this trailling character will be added by the 'strcat' once we
have checked that we have enough place.
So, there is a off-by-one issue and 1 byte of the stack could be
erroneously overwridden.
Take into account the trailling NULL, when checking if there is enough
place in the destination buffer.
While at it, also replace a 'sprintf' by a safer 'snprintf', check for
output truncation and avoid a superfluous 'strlen'.
Fixes: dc9a16e49dbba ("svc: Add /proc/sys/sunrpc/transport files")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ cel: very minor fix to documenting comment
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/svc_xprt.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index dc74519286be5..fe4cd0b4c4127 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -104,8 +104,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl)
}
EXPORT_SYMBOL_GPL(svc_unreg_xprt_class);
-/*
- * Format the transport list for printing
+/**
+ * svc_print_xprts - Format the transport list for printing
+ * @buf: target buffer for formatted address
+ * @maxlen: length of target buffer
+ *
+ * Fills in @buf with a string containing a list of transport names, each name
+ * terminated with '\n'. If the buffer is too small, some entries may be
+ * missing, but it is guaranteed that all lines in the output buffer are
+ * complete.
+ *
+ * Returns positive length of the filled-in string.
*/
int svc_print_xprts(char *buf, int maxlen)
{
@@ -118,9 +127,9 @@ int svc_print_xprts(char *buf, int maxlen)
list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) {
int slen;
- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload);
- slen = strlen(tmpstr);
- if (len + slen > maxlen)
+ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n",
+ xcl->xcl_name, xcl->xcl_max_payload);
+ if (slen >= sizeof(tmpstr) || len + slen >= maxlen)
break;
len += slen;
strcat(buf, tmpstr);
--
2.25.1
next prev parent reply other threads:[~2020-09-18 3:01 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200918020110.2063155-1-sashal@kernel.org>
2020-09-18 1:55 ` [PATCH AUTOSEL 5.4 011/330] ath10k: fix array out-of-bounds access Sasha Levin
2020-09-18 1:55 ` [PATCH AUTOSEL 5.4 012/330] ath10k: fix memory leak for tpc_stats_final Sasha Levin
2020-09-18 1:56 ` [PATCH AUTOSEL 5.4 031/330] net: silence data-races on sk_backlog.tail Sasha Levin
2020-09-18 1:56 ` [PATCH AUTOSEL 5.4 037/330] ice: Fix to change Rx/Tx ring descriptor size via ethtool with DCBx Sasha Levin
2020-09-18 1:56 ` [PATCH AUTOSEL 5.4 058/330] mt76: do not use devm API for led classdev Sasha Levin
2020-09-18 1:56 ` [PATCH AUTOSEL 5.4 059/330] mt76: add missing locking around ampdu action Sasha Levin
2020-09-18 1:56 ` [PATCH AUTOSEL 5.4 061/330] SUNRPC: Capture completion of all RPC tasks Sasha Levin
2020-09-18 1:56 ` [PATCH AUTOSEL 5.4 078/330] tipc: fix link overflow issue at socket shutdown Sasha Levin
2020-09-18 1:56 ` [PATCH AUTOSEL 5.4 079/330] vcc_seq_next should increase position index Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 080/330] neigh_stat_seq_next() " Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 081/330] rt_cpu_seq_next " Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 082/330] ipv6_route_seq_next " Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 090/330] sctp: move trace_sctp_probe_path into sctp_outq_sack Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 107/330] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 111/330] Bluetooth: Fix refcount use-after-free issue Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 114/330] Bluetooth: prefetch channel before killing sock Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 117/330] skbuff: fix a data race in skb_queue_len() Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 129/330] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 130/330] mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw Sasha Levin
2020-09-18 1:57 ` [PATCH AUTOSEL 5.4 139/330] bpf: Remove recursion prevention from rcu free callback Sasha Levin
2020-09-18 1:58 ` [PATCH AUTOSEL 5.4 145/330] iavf: use tc_cls_can_offload_and_chain0() instead of chain check Sasha Levin
2020-09-18 1:58 ` [PATCH AUTOSEL 5.4 151/330] Bluetooth: guard against controllers sending zero'd events Sasha Levin
2020-09-18 1:58 ` [PATCH AUTOSEL 5.4 166/330] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read Sasha Levin
2020-09-18 1:58 ` [PATCH AUTOSEL 5.4 168/330] Bluetooth: L2CAP: handle l2cap config request during open state Sasha Levin
2020-09-18 1:58 ` [PATCH AUTOSEL 5.4 189/330] r8169: improve RTL8168b FIFO overflow workaround Sasha Levin
2020-09-18 1:58 ` [PATCH AUTOSEL 5.4 194/330] net: axienet: Convert DMA error handler to a work queue Sasha Levin
2020-09-18 1:58 ` [PATCH AUTOSEL 5.4 195/330] net: axienet: Propagate failure of DMA descriptor setup Sasha Levin
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 208/330] brcmfmac: Fix double freeing in the fmac usb data path Sasha Levin
2020-09-18 1:59 ` Sasha Levin [this message]
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 214/330] svcrdma: Fix leak of transport addresses Sasha Levin
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 215/330] netfilter: nf_tables: silence a RCU-list warning in nft_table_lookup() Sasha Levin
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 229/330] SUNRPC: Don't start a timer on an already queued rpc task Sasha Levin
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 244/330] net: openvswitch: use u64 for meter bucket Sasha Levin
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 250/330] dpaa2-eth: fix error return code in setup_dpni() Sasha Levin
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 252/330] devlink: Fix reporter's recovery condition Sasha Levin
2020-09-18 1:59 ` [PATCH AUTOSEL 5.4 253/330] atm: fix a memory leak of vcc->user_back Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 261/330] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 264/330] tipc: fix memory leak in service subscripting Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 271/330] svcrdma: Fix backchannel return code Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 280/330] e1000: Do not perform reset in reset_task if we are already down Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 296/330] perf metricgroup: Free metric_events on error Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 300/330] wlcore: fix runtime pm imbalance in wl1271_tx_work Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 301/330] wlcore: fix runtime pm imbalance in wlcore_regdomain_config Sasha Levin
2020-09-18 2:00 ` [PATCH AUTOSEL 5.4 315/330] mac80211: skip mpath lookup also for control port tx Sasha Levin
2020-09-18 2:01 ` [PATCH AUTOSEL 5.4 324/330] mt76: fix LED link time failure Sasha Levin
2020-09-18 2:01 ` [PATCH AUTOSEL 5.4 329/330] net: openvswitch: use div_u64() for 64-by-32 divisions Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200918020110.2063155-213-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=christophe.jaillet@wanadoo.fr \
--cc=chuck.lever@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).