From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Chris Packham <chris.packham@alliedtelesis.co.nz>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.0 21/36] tipc: Avoid copying bytes beyond the supplied data
Date: Mon, 3 Jun 2019 11:09:09 +0200 [thread overview]
Message-ID: <20190603090522.386394763@linuxfoundation.org> (raw)
In-Reply-To: <20190603090520.998342694@linuxfoundation.org>
From: Chris Packham <chris.packham@alliedtelesis.co.nz>
TLV_SET is called with a data pointer and a len parameter that tells us
how many bytes are pointed to by data. When invoking memcpy() we need
to careful to only copy len bytes.
Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
4 bytes past the end of the data pointer which newer GCC versions
complain about.
In file included from test.c:17:
In function 'TLV_SET',
inlined from 'test' at test.c:186:5:
/usr/include/linux/tipc_config.h:317:3:
warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c: In function 'test':
test.c::161:10: note:
'bearer_name' declared here
char bearer_name[TIPC_MAX_BEARER_NAME];
^~~~~~~~~~~
We still want to ensure any padding bytes at the end are initialised, do
this with a explicit memset() rather than copy bytes past the end of
data. Apply the same logic to TCM_SET.
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/tipc_config.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/include/uapi/linux/tipc_config.h
+++ b/include/uapi/linux/tipc_config.h
@@ -307,8 +307,10 @@ static inline int TLV_SET(void *tlv, __u
tlv_ptr = (struct tlv_desc *)tlv;
tlv_ptr->tlv_type = htons(type);
tlv_ptr->tlv_len = htons(tlv_len);
- if (len && data)
- memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
+ if (len && data) {
+ memcpy(TLV_DATA(tlv_ptr), data, len);
+ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len);
+ }
return TLV_SPACE(len);
}
@@ -405,8 +407,10 @@ static inline int TCM_SET(void *msg, __u
tcm_hdr->tcm_len = htonl(msg_len);
tcm_hdr->tcm_type = htons(cmd);
tcm_hdr->tcm_flags = htons(flags);
- if (data_len && data)
+ if (data_len && data) {
memcpy(TCM_DATA(msg), data, data_len);
+ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len);
+ }
return TCM_SPACE(data_len);
}
next prev parent reply other threads:[~2019-06-03 9:11 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-03 9:08 [PATCH 5.0 00/36] 5.0.21-stable review Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 01/36] bonding/802.3ad: fix slave link initialization transition states Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 02/36] cxgb4: offload VLAN flows regardless of VLAN ethtype Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 03/36] inet: switch IP ID generator to siphash Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 04/36] ipv4/igmp: fix another memory leak in igmpv3_del_delrec() Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 05/36] ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 06/36] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 07/36] ipv6: Fix redirect with VRF Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 08/36] llc: fix skb leak in llc_build_and_send_ui_pkt() Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 09/36] mlxsw: spectrum_acl: Avoid warning after identical rules insertion Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 10/36] net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 11/36] net: fec: fix the clk mismatch in failed_reset path Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 12/36] net-gro: fix use-after-free read in napi_gro_frags() Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 13/36] net: mvneta: Fix err code path of probe Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 14/36] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 15/36] net: phy: marvell10g: report if the PHY fails to boot firmware Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 16/36] net: sched: dont use tc_action->order during action dump Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 17/36] net: stmmac: fix reset gpio free missing Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 18/36] r8169: fix MAC address being lost in PCI D3 Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 19/36] usbnet: fix kernel crash after disconnect Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 20/36] net/mlx5: Avoid double free in fs init error unwinding path Greg Kroah-Hartman
2019-06-03 9:09 ` Greg Kroah-Hartman [this message]
2019-06-03 9:09 ` [PATCH 5.0 22/36] net/mlx5: Allocate root ns memory using kzalloc to match kfree Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 23/36] net/mlx5e: Disable rxhash when CQE compress is enabled Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 25/36] net: stmmac: dma channel control register need to be init first Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 26/36] bnxt_en: Fix aggregation buffer leak under OOM condition Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 27/36] bnxt_en: Fix possible BUG() condition when calling pci_disable_msix() Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 28/36] bnxt_en: Reduce memory usage when running in kdump kernel Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 29/36] net/tls: fix state removal with feature flags off Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 30/36] net/tls: dont ignore netdev notifications if no TLS features Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 31/36] cxgb4: Revert "cxgb4: Remove SGE_HOST_PAGE_SIZE dependency on page size" Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 32/36] net: correct zerocopy refcnt with udp MSG_MORE Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 33/36] crypto: vmx - ghash: do nosimd fallback manually Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 34/36] xen/pciback: Dont disable PCI_COMMAND on PCI device reset Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 35/36] Revert "tipc: fix modprobe tipc failed after switch order of device registration" Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 36/36] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
2019-06-03 15:09 ` [PATCH 5.0 00/36] 5.0.21-stable review kernelci.org bot
2019-06-03 17:17 ` Guenter Roeck
2019-06-03 17:59 ` Naresh Kamboju
2019-06-03 18:33 ` Jon Hunter
2019-06-03 23:32 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190603090522.386394763@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chris.packham@alliedtelesis.co.nz \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).