From patchwork Thu Mar 29 21:20:45 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jon Maloy <jon.maloy@ericsson.com>
X-Patchwork-Id: 893005
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=ericsson.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=ericsson.com header.i=@ericsson.com
	header.b="SO0YX7z1"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40ByNQ4bFMz9rxx
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 30 Mar 2018 08:21:10 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752016AbeC2VU5 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Thu, 29 Mar 2018 17:20:57 -0400
Received: from sessmg23.ericsson.net ([193.180.251.45]:43719 "EHLO
	sessmg23.ericsson.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751403AbeC2VU4 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 29 Mar 2018 17:20:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801;
	c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1522358455;
	h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=te+YCfqNHv0ydeyqrD1XHrOouAwTPFJfm5GybbxG4q4=;
	b=SO0YX7z1LJ6F1jQmK4GlvbHF3VaPyqtIZfoGWF0KYfBl28rAjWsqjkd+vviPZlgq
	S9KxosT+ZXajcXbWEe48FafBMDHU67zUqQvYrSChCcok8qn+Ou5iK3Bd6IJc4T75
	dkk6CZJmABKoHR9ePjxU20l7z9zlyVIGVVd0GBzVEvc=;
X-AuditID: c1b4fb2d-e19ff700000073d9-29-5abd58b7a8df
Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.183.51])
	by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id
	26.7F.29657.7B85DBA5; Thu, 29 Mar 2018 23:20:55 +0200 (CEST)
Received: from daly.lab.linux.ericsson.se (10.35.28.123) by
	ESESSHC011.ericsson.se (153.88.183.51) with Microsoft SMTP Server
	(TLS) id 14.3.382.0; Thu, 29 Mar 2018 23:20:54 +0200
From: Jon Maloy <jon.maloy@ericsson.com>
To: <davem@davemloft.net>, <netdev@vger.kernel.org>
CC: <mohan.krishna.ghanta.krishnamurthy@ericsson.com>,
	<tung.q.nguyen@dektech.com.au>, <hoang.h.le@dektech.com.au>,
	<jon.maloy@ericsson.com>, <canh.d.luu@dektech.com.au>,
	<ying.xue@windriver.com>, <tipc-discussion@lists.sourceforge.net>
Subject: [net-next v2 5/5] tipc: avoid possible string overflow
Date: Thu, 29 Mar 2018 23:20:45 +0200
Message-ID: <1522358445-7444-6-git-send-email-jon.maloy@ericsson.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1522358445-7444-1-git-send-email-jon.maloy@ericsson.com>
References: <1522358445-7444-1-git-send-email-jon.maloy@ericsson.com>
MIME-Version: 1.0
X-Originating-IP: [10.35.28.123]
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFjrDLMWRmVeSWpSXmKPExsUyM2K7se72iL1RBpv+CFncaOhhtphzvoXF
	4u2rWewWxxaIWWw5n2Vxpf0su8Xj69eZHdg9tqy8yeTx7gqbx+4Fn5k8Pm+S81i/ZStTAGsU
	l01Kak5mWWqRvl0CV8bFK4fZC+YJVnz5c5qtgXEuXxcjJ4eEgInEpGXnWLsYuTiEBI4wSky6
	+5gFJCEksI1R4npPDYjNJqAh8XJaByOILSJgLPFqZScTSAOzwCdGiZaVz9hAEsIC9hKT/r0B
	aubgYBFQldixDqyeV8BV4tDJpewQy+Qkzh//yQxicwq4STTMmcwIsctV4ve5blaIekGJkzOf
	gN3ALCAhcfDFC2aIGmWJuR+mMUHMUZD4MGsZ2wRGgVlIWmYhaVnAyLSKUbQ4tbg4N93IWC+1
	KDO5uDg/Ty8vtWQTIzCMD275rbuDcfVrx0OMAhyMSjy8Yq57o4RYE8uKK3MPMUpwMCuJ8L7X
	2B0lxJuSWFmVWpQfX1Sak1p8iFGag0VJnFdv1Z4oIYH0xJLU7NTUgtQimCwTB6dUA+Oy+5MW
	nixkbZfyd2F5+l7l5fbfbw9Z+mmapAQu4/npqhy7wPzm8S1l/fdyvpjdPM08d4KrwcV+Udt9
	873L8nxfL1fd+vnFgxUipu6b2ZboKay4mHqsvWudm/nL2kmSH3L/h166ysf6ftuRbe0SkQ/9
	rglPlWBzmrMsV21j2ZHKyv/THp7drP9AiaU4I9FQi7moOBEAnrGHQF8CAAA=
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

gcc points out that the combined length of the fixed-length inputs to
l->name is larger than the destination buffer size:

net/tipc/link.c: In function 'tipc_link_create':
net/tipc/link.c:465:26: error: '%s' directive writing up to 32 bytes
into a region of size between 26 and 58 [-Werror=format-overflow=]
sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str);

net/tipc/link.c:465:2: note: 'sprintf' output 11 or more bytes
(assuming 75) into a destination of size 60
sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str);

A detailed analysis reveals that the theoretical maximum length of
a link name is:
max self_str + 1 + max if_name + 1 + max peer_str + 1 + max if_name =
16 + 1 + 15 + 1 + 16 + 1 + 15 = 65
Since we also need space for a trailing zero we now set MAX_LINK_NAME
to 68.

Just to be on the safe side we also replace the sprintf() call with
snprintf().

Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address
hash values")
Reported-by: Arnd Bergmann <arnd@arndb.de>

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
---
 include/uapi/linux/tipc.h | 2 +-
 net/tipc/link.c           | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/tipc.h b/include/uapi/linux/tipc.h
index 156224a..bf6d286 100644
--- a/include/uapi/linux/tipc.h
+++ b/include/uapi/linux/tipc.h
@@ -216,7 +216,7 @@ struct tipc_group_req {
 #define TIPC_MAX_MEDIA_NAME	16
 #define TIPC_MAX_IF_NAME	16
 #define TIPC_MAX_BEARER_NAME	32
-#define TIPC_MAX_LINK_NAME	60
+#define TIPC_MAX_LINK_NAME	68
 
 #define SIOCGETLINKNAME		SIOCPROTOPRIVATE
 
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 8f2a949..695acb7 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -462,7 +462,8 @@ bool tipc_link_create(struct net *net, char *if_name, int bearer_id,
 			sprintf(peer_str, "%x", peer);
 	}
 	/* Peer i/f name will be completed by reset/activate message */
-	sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str);
+	snprintf(l->name, sizeof(l->name), "%s:%s-%s:unknown",
+		 self_str, if_name, peer_str);
 
 	strcpy(l->if_name, if_name);
 	l->addr = peer;