diff mbox

[SCSI] bnx2i: use strlcpy() instead of memcpy() for strings

Message ID 20120630114935.GB22767@elgon.mountain
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Dan Carpenter June 30, 2012, 11:49 a.m. UTC 
DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
12 bytes from the stack so it's a small information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This was just added to linux-next yesterday, but I'm not sure which tree
it came from.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Laight July 2, 2012, 10:09 a.m. UTC | #1 
> Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
strings
> 
> DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> 12 bytes from the stack so it's a small information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This was just added to linux-next yesterday, but I'm not sure 
> which tree it came from.
> 
> diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> b/drivers/scsi/bnx2i/bnx2i_init.c
> index 7729a52..b17637a 100644
> --- a/drivers/scsi/bnx2i/bnx2i_init.c
> +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
>  	if (!stats)
>  		return -ENOMEM;
>  
> -	memcpy(stats->version, DRV_MODULE_VERSION,
sizeof(stats->version));
> +	strlcpy(stats->version, DRV_MODULE_VERSION,
sizeof(stats->version));
>  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);

Doesn't that leak the original contents of the last bytes of
stats->version instead?

	David


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dan Carpenter July 2, 2012, 10:48 a.m. UTC | #2 
On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote:
> > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
> strings
> > 
> > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> > 12 bytes from the stack so it's a small information leak.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > This was just added to linux-next yesterday, but I'm not sure 
> > which tree it came from.
> > 
> > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> > b/drivers/scsi/bnx2i/bnx2i_init.c
> > index 7729a52..b17637a 100644
> > --- a/drivers/scsi/bnx2i/bnx2i_init.c
> > +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
> >  	if (!stats)
> >  		return -ENOMEM;
> >  
> > -	memcpy(stats->version, DRV_MODULE_VERSION,
> sizeof(stats->version));
> > +	strlcpy(stats->version, DRV_MODULE_VERSION,
> sizeof(stats->version));
> >  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);
> 
> Doesn't that leak the original contents of the last bytes of
> stats->version instead?

I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req().

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Michael Chan July 2, 2012, 3:13 p.m. UTC | #3 
On Mon, 2012-07-02 at 13:48 +0300, Dan Carpenter wrote: 
> On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote:
> > > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
> > strings
> > > 
> > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> > > 12 bytes from the stack so it's a small information leak.
> > > 
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > ---
> > > This was just added to linux-next yesterday, but I'm not sure 
> > > which tree it came from.
> > > 
> > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> > > b/drivers/scsi/bnx2i/bnx2i_init.c
> > > index 7729a52..b17637a 100644
> > > --- a/drivers/scsi/bnx2i/bnx2i_init.c
> > > +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> > > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
> > >  	if (!stats)
> > >  		return -ENOMEM;
> > >  
> > > -	memcpy(stats->version, DRV_MODULE_VERSION,
> > sizeof(stats->version));
> > > +	strlcpy(stats->version, DRV_MODULE_VERSION,
> > sizeof(stats->version));
> > >  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);
> > 
> > Doesn't that leak the original contents of the last bytes of
> > stats->version instead?
> 
> I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req().
> 

Yes, bnx2x zeros the whole stats structure, so strlcpy() is correct.

This came from the net-next tree, so David is the right persion to apply
this.  Thanks.

Acked-by: Michael Chan <mchan@broadcom.com>


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eddie Wai July 2, 2012, 5:53 p.m. UTC | #4 
On Mon, 2012-07-02 at 08:13 -0700, Michael Chan wrote:
> On Mon, 2012-07-02 at 13:48 +0300, Dan Carpenter wrote: 
> > On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote:
> > > > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
> > > strings
> > > > 
> > > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> > > > 12 bytes from the stack so it's a small information leak.
> > > > 
> > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > > ---
> > > > This was just added to linux-next yesterday, but I'm not sure 
> > > > which tree it came from.
> > > > 
> > > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> > > > b/drivers/scsi/bnx2i/bnx2i_init.c
> > > > index 7729a52..b17637a 100644
> > > > --- a/drivers/scsi/bnx2i/bnx2i_init.c
> > > > +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> > > > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
> > > >  	if (!stats)
> > > >  		return -ENOMEM;
> > > >  
> > > > -	memcpy(stats->version, DRV_MODULE_VERSION,
> > > sizeof(stats->version));
> > > > +	strlcpy(stats->version, DRV_MODULE_VERSION,
> > > sizeof(stats->version));
> > > >  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);
> > > 
> > > Doesn't that leak the original contents of the last bytes of
> > > stats->version instead?
> > 
> > I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req().
> > 
> 
> Yes, bnx2x zeros the whole stats structure, so strlcpy() is correct.
> 
> This came from the net-next tree, so David is the right persion to apply
> this.  Thanks.
> 
> Acked-by: Michael Chan <mchan@broadcom.com>
> 
True.  strlcpy() is the correct routine to use (instead of strncpy) as
this needs to be NULL terminated.  Thanks.

Acked-by: Eddie Wai <eddie.wai@broadcom.com>



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller July 9, 2012, 6:51 a.m. UTC | #5 
From: "Michael Chan" <mchan@broadcom.com>
Date: Mon, 2 Jul 2012 08:13:38 -0700

> This came from the net-next tree, so David is the right persion to apply
> this.  Thanks.
> 
> Acked-by: Michael Chan <mchan@broadcom.com>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/scsi/bnx2i/bnx2i_init.c b/drivers/scsi/bnx2i/bnx2i_init.c
index 7729a52..b17637a 100644
--- a/drivers/scsi/bnx2i/bnx2i_init.c
+++ b/drivers/scsi/bnx2i/bnx2i_init.c
@@ -400,7 +400,7 @@  int bnx2i_get_stats(void *handle)
 	if (!stats)
 		return -ENOMEM;
 
-	memcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version));
+	strlcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version));
 	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);
 
 	stats->max_frame_size = hba->netdev->mtu;