[PATCH iproute2] ip: xfrm: add NUL character to security context name before printing

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing
@ 2021-02-16 16:50 Sabrina Dubroca
  2021-03-08 11:30 ` Sabrina Dubroca
  2021-03-08 17:18 ` Stephen Hemminger
  0 siblings, 2 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2021-02-16 16:50 UTC (permalink / raw)
  To: netdev; +Cc: dsahern, stephen, Sabrina Dubroca, Paul Wouters

Security context names are not guaranteed to be NUL-terminated by the
kernel, so we can't just print them using %s directly. The length of
the string is capped by the size of the netlink attribute (u16), so it
will always fit within 65535 bytes.

While at it, factor that out to a separate function, since the exact
same code is used to print the security context for both policies and
states.

Fixes: b2bb289a57fe ("xfrm security context support")
Reported-by: Paul Wouters <pwouters@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 ip/ipxfrm.c | 46 ++++++++++++++++++++--------------------------
 1 file changed, 20 insertions(+), 26 deletions(-)

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index e4a72bd06778..3fc0e13ef112 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -916,6 +916,22 @@ static int xfrm_selector_iszero(struct xfrm_selector *s)
 	return (memcmp(&s0, s, sizeof(s0)) == 0);
 }
 
+static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr)
+{
+	struct xfrm_user_sec_ctx *sctx;
+	char buf[65536] = {};
+
+	fprintf(fp, "\tsecurity context ");
+
+	if (RTA_PAYLOAD(attr) < sizeof(*sctx))
+		fprintf(fp, "(ERROR truncated)");
+
+	sctx = RTA_DATA(attr);
+
+	memcpy(buf, (char *)(sctx + 1), sctx->ctx_len);
+	fprintf(fp, "%s %s", buf, _SL_);
+}
+
 void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 			    struct rtattr *tb[], FILE *fp, const char *prefix,
 			    const char *title, bool nokeys)
@@ -983,19 +999,8 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		xfrm_stats_print(&xsinfo->stats, fp, buf);
 	}
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
-	}
-
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 }
 
 void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -1006,19 +1011,8 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
 
 	xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s ", (char *)(sctx + 1));
-		fprintf(fp, "%s", _SL_);
-	}
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 
 	if (prefix)
 		strlcat(buf, prefix, sizeof(buf));
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing
  2021-02-16 16:50 [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing Sabrina Dubroca
@ 2021-03-08 11:30 ` Sabrina Dubroca
  2021-03-08 17:18 ` Stephen Hemminger
  1 sibling, 0 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2021-03-08 11:30 UTC (permalink / raw)
  To: netdev; +Cc: dsahern, stephen, Paul Wouters

Hi Stephen/David,

2021-02-16, 17:50:58 +0100, Sabrina Dubroca wrote:
> Security context names are not guaranteed to be NUL-terminated by the
> kernel, so we can't just print them using %s directly. The length of
> the string is capped by the size of the netlink attribute (u16), so it
> will always fit within 65535 bytes.
> 
> While at it, factor that out to a separate function, since the exact
> same code is used to print the security context for both policies and
> states.

This patch ended up with "Changes Requested" in patchwork [1], even though
there has been no reply to it. Do I need to resend it?

[1] https://patchwork.kernel.org/project/netdevbpf/patch/11af39932b3896cf1a560059bcbd24194e7f33bd.1613473397.git.sd@queasysnail.net/

Thanks,

-- 
Sabrina


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing
  2021-02-16 16:50 [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing Sabrina Dubroca
  2021-03-08 11:30 ` Sabrina Dubroca
@ 2021-03-08 17:18 ` Stephen Hemminger
  2021-03-09 15:44   ` [PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing Sabrina Dubroca
  1 sibling, 1 reply; 4+ messages in thread
From: Stephen Hemminger @ 2021-03-08 17:18 UTC (permalink / raw)
  To: Sabrina Dubroca; +Cc: netdev, dsahern, Paul Wouters

On Tue, 16 Feb 2021 17:50:58 +0100
Sabrina Dubroca <sd@queasysnail.net> wrote:

> +static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr)
> +{
> +	struct xfrm_user_sec_ctx *sctx;
> +	char buf[65536] = {};
> +
> +	fprintf(fp, "\tsecurity context ");
> +
> +	if (RTA_PAYLOAD(attr) < sizeof(*sctx))
> +		fprintf(fp, "(ERROR truncated)");
> +
> +	sctx = RTA_DATA(attr);
> +
> +	memcpy(buf, (char *)(sctx + 1), sctx->ctx_len);
> +	fprintf(fp, "%s %s", buf, _SL_);
> +}

The copy buffer is not needed. Use the printf precision as
a mechanism instead.

         fprintf(fp, "%.*s %s", sctx->ctx_len, (char *)(sctx + 1));


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing
  2021-03-08 17:18 ` Stephen Hemminger
@ 2021-03-09 15:44   ` Sabrina Dubroca
  0 siblings, 0 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2021-03-09 15:44 UTC (permalink / raw)
  To: netdev; +Cc: dsahern, stephen, Sabrina Dubroca, Paul Wouters

Security context names are not guaranteed to be NUL-terminated by the
kernel, so we can't just print them using %s directly. The length of
the string is determined by sctx->ctx_len, so we can use that to limit
what fprintf outputs.

While at it, factor that out to a separate function, since the exact
same code is used to print the security context for both policies and
states.

Fixes: b2bb289a57fe ("xfrm security context support")
Reported-by: Paul Wouters <pwouters@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
v2: drop the memcpy and use %.*s, suggested by Stephen Hemminger

 ip/ipxfrm.c | 43 +++++++++++++++++--------------------------
 1 file changed, 17 insertions(+), 26 deletions(-)

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index e4a72bd06778..8a794032cf12 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -916,6 +916,19 @@ static int xfrm_selector_iszero(struct xfrm_selector *s)
 	return (memcmp(&s0, s, sizeof(s0)) == 0);
 }
 
+static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr)
+{
+	struct xfrm_user_sec_ctx *sctx;
+
+	fprintf(fp, "\tsecurity context ");
+
+	if (RTA_PAYLOAD(attr) < sizeof(*sctx))
+		fprintf(fp, "(ERROR truncated)");
+
+	sctx = RTA_DATA(attr);
+	fprintf(fp, "%.*s %s", sctx->ctx_len, (char *)(sctx + 1), _SL_);
+}
+
 void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 			    struct rtattr *tb[], FILE *fp, const char *prefix,
 			    const char *title, bool nokeys)
@@ -983,19 +996,8 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		xfrm_stats_print(&xsinfo->stats, fp, buf);
 	}
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
-	}
-
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 }
 
 void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -1006,19 +1008,8 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
 
 	xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s ", (char *)(sctx + 1));
-		fprintf(fp, "%s", _SL_);
-	}
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 
 	if (prefix)
 		strlcat(buf, prefix, sizeof(buf));
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-03-09 15:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-16 16:50 [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing Sabrina Dubroca
2021-03-08 11:30 ` Sabrina Dubroca
2021-03-08 17:18 ` Stephen Hemminger
2021-03-09 15:44   ` [PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing Sabrina Dubroca

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).