* [PATCH PKT_SCHED 4/17]: Check TCA_ACT_KIND payload size _before_ copying it
@ 2004-12-30 3:39 Patrick McHardy
2004-12-30 13:34 ` Thomas Graf
0 siblings, 1 reply; 3+ messages in thread
From: Patrick McHardy @ 2004-12-30 3:39 UTC (permalink / raw)
To: jamal; +Cc: Maillist netdev
[-- Attachment #1: Type: text/plain, Size: 256 bytes --]
Fix payload size checks like this one:
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("Action %s bad\n",
(char*)RTA_DATA(kind))
[-- Attachment #2: 04.diff --]
[-- Type: text/x-patch, Size: 1912 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/12/30 01:45:41+01:00 kaber@coreworks.de
# [PKT_SCHED]: Check TCA_ACT_KIND payload size _before_ copying it
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/sched/act_api.c
# 2004/12/30 01:45:35+01:00 kaber@coreworks.de +6 -14
# [PKT_SCHED]: Check TCA_ACT_KIND payload size _before_ copying it
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/net/sched/act_api.c b/net/sched/act_api.c
--- a/net/sched/act_api.c 2004-12-30 04:01:10 +01:00
+++ b/net/sched/act_api.c 2004-12-30 04:01:10 +01:00
@@ -288,11 +288,9 @@
goto err_out;
kind = tb[TCA_ACT_KIND-1];
if (kind != NULL) {
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("Action %s bad\n", (char*)RTA_DATA(kind));
+ if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
goto err_out;
- }
+ sprintf(act_name, "%s", (char*)RTA_DATA(kind));
} else {
printk("Action bad kind\n");
goto err_out;
@@ -503,12 +501,9 @@
goto err_out;
kind = tb[TCA_ACT_KIND-1];
if (kind != NULL) {
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("tcf_action_get_1: action %s bad\n",
- (char*)RTA_DATA(kind));
+ if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
goto err_out;
- }
+ sprintf(act_name, "%s", (char*)RTA_DATA(kind));
} else {
printk("tcf_action_get_1: action bad kind\n");
goto err_out;
@@ -567,12 +562,9 @@
struct tc_action_ops *a_o = NULL;
if (kind != NULL) {
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("get_ao: action %s bad\n",
- (char*)RTA_DATA(kind));
+ if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
return NULL;
- }
+ sprintf(act_name, "%s", (char*)RTA_DATA(kind));
} else {
printk("get_ao: action bad kind\n");
return NULL;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH PKT_SCHED 4/17]: Check TCA_ACT_KIND payload size _before_ copying it
2004-12-30 3:39 [PATCH PKT_SCHED 4/17]: Check TCA_ACT_KIND payload size _before_ copying it Patrick McHardy
@ 2004-12-30 13:34 ` Thomas Graf
2004-12-30 14:20 ` Patrick McHardy
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Graf @ 2004-12-30 13:34 UTC (permalink / raw)
To: Patrick McHardy; +Cc: jamal, Maillist netdev
* Patrick McHardy <41D37875.5020103@trash.net> 2004-12-30 04:39
> - sprintf(act_name, "%s", (char*)RTA_DATA(kind));
> - if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
> - printk("Action %s bad\n", (char*)RTA_DATA(kind));
> + if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
The check should be RTA_PAYLOAD(kind) > IFNAMSIZ, == is ok
if the terminating NUL is provided.
> goto err_out;
> - }
> + sprintf(act_name, "%s", (char*)RTA_DATA(kind));
> } else {
This will cause horrible crashes if no NUL is provided to terminate
the name.
So I think this should be:
if (RTA_PAYLOAD(kind) > IFNAMSIZ)
goto err_out;
memset(act_name, ...);
memcpy(act_name, RTA_DATA(kind), RTA_PAYLOAD(kind));
act_name[IFNAMSIZ - 1] = '\0';
The memset is required to ensure 0 termination if kind is not and
shorter than IFNAMSIZ. memcpy instead of str* to avoid using
any form of str(n)len on a possibly not terminated string
and setting IFNAMSIZ - 1 to NUL to ensure proper handling of
a IFNAMSIZ long not terminated string.
I know it's unlikely but this might just save us some troubles later.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH PKT_SCHED 4/17]: Check TCA_ACT_KIND payload size _before_ copying it
2004-12-30 13:34 ` Thomas Graf
@ 2004-12-30 14:20 ` Patrick McHardy
0 siblings, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2004-12-30 14:20 UTC (permalink / raw)
To: Thomas Graf; +Cc: jamal, Maillist netdev
Thomas Graf wrote:
> * Patrick McHardy <41D37875.5020103@trash.net> 2004-12-30 04:39
>
>>- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
>>- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
>>- printk("Action %s bad\n", (char*)RTA_DATA(kind));
>>+ if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
>
>
> The check should be RTA_PAYLOAD(kind) > IFNAMSIZ, == is ok
> if the terminating NUL is provided.
Thanks.
>
>
>> goto err_out;
>>- }
>>+ sprintf(act_name, "%s", (char*)RTA_DATA(kind));
>> } else {
>
>
> This will cause horrible crashes if no NUL is provided to terminate
> the name.
>
> So I think this should be:
>
> if (RTA_PAYLOAD(kind) > IFNAMSIZ)
> goto err_out;
> memset(act_name, ...);
> memcpy(act_name, RTA_DATA(kind), RTA_PAYLOAD(kind));
> act_name[IFNAMSIZ - 1] = '\0';
>
> The memset is required to ensure 0 termination if kind is not and
> shorter than IFNAMSIZ. memcpy instead of str* to avoid using
> any form of str(n)len on a possibly not terminated string
> and setting IFNAMSIZ - 1 to NUL to ensure proper handling of
> a IFNAMSIZ long not terminated string.
>
> I know it's unlikely but this might just save us some troubles later.
Agreed. I saved this change for later because there are more places
in net/sched that need to be fixed. I guess I'll just add a
rtattr_strncpy function.
Regards
Patrick
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-12-30 14:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-30 3:39 [PATCH PKT_SCHED 4/17]: Check TCA_ACT_KIND payload size _before_ copying it Patrick McHardy
2004-12-30 13:34 ` Thomas Graf
2004-12-30 14:20 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).