Message ID | 20120630114935.GB22767@elgon.mountain |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
> Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy > 12 bytes from the stack so it's a small information leak. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > This was just added to linux-next yesterday, but I'm not sure > which tree it came from. > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c > b/drivers/scsi/bnx2i/bnx2i_init.c > index 7729a52..b17637a 100644 > --- a/drivers/scsi/bnx2i/bnx2i_init.c > +++ b/drivers/scsi/bnx2i/bnx2i_init.c > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle) > if (!stats) > return -ENOMEM; > > - memcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version)); > + strlcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version)); > memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN); Doesn't that leak the original contents of the last bytes of stats->version instead? David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote: > > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for > strings > > > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy > > 12 bytes from the stack so it's a small information leak. > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > --- > > This was just added to linux-next yesterday, but I'm not sure > > which tree it came from. > > > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c > > b/drivers/scsi/bnx2i/bnx2i_init.c > > index 7729a52..b17637a 100644 > > --- a/drivers/scsi/bnx2i/bnx2i_init.c > > +++ b/drivers/scsi/bnx2i/bnx2i_init.c > > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle) > > if (!stats) > > return -ENOMEM; > > > > - memcpy(stats->version, DRV_MODULE_VERSION, > sizeof(stats->version)); > > + strlcpy(stats->version, DRV_MODULE_VERSION, > sizeof(stats->version)); > > memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN); > > Doesn't that leak the original contents of the last bytes of > stats->version instead? I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req(). regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 2012-07-02 at 13:48 +0300, Dan Carpenter wrote: > On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote: > > > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for > > strings > > > > > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy > > > 12 bytes from the stack so it's a small information leak. > > > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > > --- > > > This was just added to linux-next yesterday, but I'm not sure > > > which tree it came from. > > > > > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c > > > b/drivers/scsi/bnx2i/bnx2i_init.c > > > index 7729a52..b17637a 100644 > > > --- a/drivers/scsi/bnx2i/bnx2i_init.c > > > +++ b/drivers/scsi/bnx2i/bnx2i_init.c > > > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle) > > > if (!stats) > > > return -ENOMEM; > > > > > > - memcpy(stats->version, DRV_MODULE_VERSION, > > sizeof(stats->version)); > > > + strlcpy(stats->version, DRV_MODULE_VERSION, > > sizeof(stats->version)); > > > memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN); > > > > Doesn't that leak the original contents of the last bytes of > > stats->version instead? > > I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req(). > Yes, bnx2x zeros the whole stats structure, so strlcpy() is correct. This came from the net-next tree, so David is the right persion to apply this. Thanks. Acked-by: Michael Chan <mchan@broadcom.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 2012-07-02 at 08:13 -0700, Michael Chan wrote: > On Mon, 2012-07-02 at 13:48 +0300, Dan Carpenter wrote: > > On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote: > > > > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for > > > strings > > > > > > > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy > > > > 12 bytes from the stack so it's a small information leak. > > > > > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > > > --- > > > > This was just added to linux-next yesterday, but I'm not sure > > > > which tree it came from. > > > > > > > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c > > > > b/drivers/scsi/bnx2i/bnx2i_init.c > > > > index 7729a52..b17637a 100644 > > > > --- a/drivers/scsi/bnx2i/bnx2i_init.c > > > > +++ b/drivers/scsi/bnx2i/bnx2i_init.c > > > > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle) > > > > if (!stats) > > > > return -ENOMEM; > > > > > > > > - memcpy(stats->version, DRV_MODULE_VERSION, > > > sizeof(stats->version)); > > > > + strlcpy(stats->version, DRV_MODULE_VERSION, > > > sizeof(stats->version)); > > > > memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN); > > > > > > Doesn't that leak the original contents of the last bytes of > > > stats->version instead? > > > > I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req(). > > > > Yes, bnx2x zeros the whole stats structure, so strlcpy() is correct. > > This came from the net-next tree, so David is the right persion to apply > this. Thanks. > > Acked-by: Michael Chan <mchan@broadcom.com> > True. strlcpy() is the correct routine to use (instead of strncpy) as this needs to be NULL terminated. Thanks. Acked-by: Eddie Wai <eddie.wai@broadcom.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: "Michael Chan" <mchan@broadcom.com> Date: Mon, 2 Jul 2012 08:13:38 -0700 > This came from the net-next tree, so David is the right persion to apply > this. Thanks. > > Acked-by: Michael Chan <mchan@broadcom.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/scsi/bnx2i/bnx2i_init.c b/drivers/scsi/bnx2i/bnx2i_init.c index 7729a52..b17637a 100644 --- a/drivers/scsi/bnx2i/bnx2i_init.c +++ b/drivers/scsi/bnx2i/bnx2i_init.c @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle) if (!stats) return -ENOMEM; - memcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version)); + strlcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version)); memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN); stats->max_frame_size = hba->netdev->mtu;
DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy 12 bytes from the stack so it's a small information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- This was just added to linux-next yesterday, but I'm not sure which tree it came from. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html