| Message ID | 20181202040601.8432-1-cai@gmx.us |
|---|---|
| State | Accepted |
| Delegated to: | Jozsef Kadlecsik |
| Headers | show |
| Series | [v3] netfilter/ipset: replace a strncpy() with strscpy() | expand |
Hi, On Sat, 1 Dec 2018, Qian Cai wrote: > To make overflows as obvious as possible and to prevent code from blithely > proceeding with a truncated string. This also has a side-effect to fix a > compilation warning when using GCC 8.2.1. > > net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get': > net/netfilter/ipset/ip_set_core.c:2027:3: warning: 'strncpy' writing 32 > bytes into a region of size 2 overflows the destination > [-Wstringop-overflow=] > > Signed-off-by: Qian Cai <cai@gmx.us> Patch is applied with a slight modification, see below: > Changelog: > * v2: > - Released the lock for the error-path as well. > * v1: > - Checked the return value. > > net/netfilter/ipset/ip_set_core.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c > index 1577f2f76060..33929fb645b6 100644 > --- a/net/netfilter/ipset/ip_set_core.c > +++ b/net/netfilter/ipset/ip_set_core.c > @@ -2024,9 +2024,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) > } > nfnl_lock(NFNL_SUBSYS_IPSET); > set = ip_set(inst, req_get->set.index); > - strncpy(req_get->set.name, set ? set->name : "", > - IPSET_MAXNAMELEN); > + ret = strscpy(req_get->set.name, set ? set->name : "", > + IPSET_MAXNAMELEN); > nfnl_unlock(NFNL_SUBSYS_IPSET); > + if (ret == -E2BIG) I replaced the condition with if (ret < 0) so that it can handle future error codes from strscpy() as well. > + goto done; > goto copy; > } > default: Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 1577f2f76060..33929fb645b6 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -2024,9 +2024,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) } nfnl_lock(NFNL_SUBSYS_IPSET); set = ip_set(inst, req_get->set.index); - strncpy(req_get->set.name, set ? set->name : "", - IPSET_MAXNAMELEN); + ret = strscpy(req_get->set.name, set ? set->name : "", + IPSET_MAXNAMELEN); nfnl_unlock(NFNL_SUBSYS_IPSET); + if (ret == -E2BIG) + goto done; goto copy; } default:
To make overflows as obvious as possible and to prevent code from blithely proceeding with a truncated string. This also has a side-effect to fix a compilation warning when using GCC 8.2.1. net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get': net/netfilter/ipset/ip_set_core.c:2027:3: warning: 'strncpy' writing 32 bytes into a region of size 2 overflows the destination [-Wstringop-overflow=] Signed-off-by: Qian Cai <cai@gmx.us> --- Changelog: * v2: - Released the lock for the error-path as well. * v1: - Checked the return value. net/netfilter/ipset/ip_set_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)