From: Fan Du <fan.du@windriver.com>
To: David Laight <David.Laight@aculab.com>
Cc: Sohny Thomas <sthomas@linux.vnet.ibm.com>,
<stephen@networkplumber.org>, <netdev@vger.kernel.org>
Subject: Re: [PATCH] {iproute2, xfrm}: Use memcpy to suppress gcc phony buffer overflow warning
Date: Tue, 8 Oct 2013 09:22:22 +0800 [thread overview]
Message-ID: <52535E4E.2090804@windriver.com> (raw)
In-Reply-To: <AE90C24D6B3A694183C094C60CF0A2F6026B7368@saturn3.aculab.com>
Back from vacation, sorry for the late reply.
On 2013年09月30日 17:29, David Laight wrote:
>>> This is a false positive warning as the destination pointer "buf"
>>> pointers to
>>> an ZERO length array, which actually will occupy alg.buf mostly.
>>> Fix this by using memcpy.
>>>
>>> struct xfrm_algo {
>>> char alg_name[64];
>>> unsigned int alg_key_len; /* in bits */
>>> char alg_key[0];
>>> };
>>>
>>> struct {
>>> union {
>>> struct xfrm_algo alg;
>>> struct xfrm_algo_aead aead;
>>> struct xfrm_algo_auth auth;
>>> } u;
>>> char buf[XFRM_ALGO_KEY_BUF_SIZE];
>>> } alg = {};
>>>
>>> buf = alg.u.alg.alg_key;
>
> That is worse than horrid...
> The tools have every right to complain about any accesses to alg_key[].
Only when using strcpy, because a build in checking inserted in this function.
>>> ---
>>> ip/xfrm_state.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
>>> index 0d98e78..5cc87d3 100644
>>> --- a/ip/xfrm_state.c
>>> +++ b/ip/xfrm_state.c
>>> @@ -159,7 +159,7 @@ static int xfrm_algo_parse(struct xfrm_algo *alg,
>>> enum xfrm_attr_type_t type,
>>> if (len> max)
>>> invarg("\"ALGO-KEY\" makes buffer overflow\n", key);
>
> I presume there is a return hiding in invarg().
Good guess :)
>>>
>>> - strncpy(buf, key, len);
>>> + memcpy(buf, key, len);
>
> Passing the length of the SOURCE to strncpy() is almost always wrong.
> You are still not terminating the copied string.
Don't worry.
The length using here has been increased by 1 at the beginning of the function,
so the copied string to the destination is terminated well.
> David
>
>
--
浮沉随浪只记今朝笑
--fan
next prev parent reply other threads:[~2013-10-08 1:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <524411AE.7000404@linux.vnet.ibm.com>
2013-09-26 18:32 ` [PATCH] iproute2: xfrm state add abort issue Sohny Thomas
2013-09-27 8:26 ` David Laight
2013-09-28 13:24 ` Sohny Thomas
2013-09-29 1:49 ` [PATCH] {iproute2, xfrm}: Use memcpy to suppress gcc phony buffer overflow warning Fan Du
2013-09-29 3:21 ` Sohny Thomas
2013-09-30 9:29 ` David Laight
2013-10-08 1:22 ` Fan Du [this message]
2013-10-01 4:10 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52535E4E.2090804@windriver.com \
--to=fan.du@windriver.com \
--cc=David.Laight@aculab.com \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=sthomas@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).