From patchwork Sun Nov 12 23:15:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rasmus Villemoes X-Patchwork-Id: 837298 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=rasmusvillemoes.dk header.i=@rasmusvillemoes.dk header.b="OAIBa649"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yZqS105Bjz9s7m for ; Mon, 13 Nov 2017 10:17:37 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751579AbdKLXRY (ORCPT ); Sun, 12 Nov 2017 18:17:24 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:40380 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751062AbdKLXPY (ORCPT ); Sun, 12 Nov 2017 18:15:24 -0500 Received: by mail-wm0-f66.google.com with SMTP id b189so4841675wmd.5 for ; Sun, 12 Nov 2017 15:15:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=81dGXIuXgWEqkpjG58cHHUzhBHzxxJm1zUC1EMYiX7o=; b=OAIBa649e/3HEjFD4Ojd/V8mJ5qLt8P+TDn/BTIfLhtjZHSZ2oqUquDYfsOsiaEVA8 TKbtY2ykcLXQIkRdBj79f692SXDvfXevoR4a2Xu+dt4LRbjJFTT67KcGp2Ia/TZQu7Wl L6Up2Pip6ZxtfxzWMBkOc2+9XRrO1Ln+S8OVM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=81dGXIuXgWEqkpjG58cHHUzhBHzxxJm1zUC1EMYiX7o=; b=JBXXpaMMu0iYHpnZBpE2db+lctlXCBZjWpLTu1wl3TRa6aaqHjpr+5fPNtpDjEEDyf tstbdgQh26gFc5V0ePgD1jnjJzV37lTNthclsnSB0nnhY4R4r4AKNpZ3ZPtFd3zRfHUl L4mZpgRGpgwnBi61fQn2/gH5tMkN3qlwM9p2U6bgEX4Xzx/cFMvrgBsx8P2riyeBLr7I Lx0J8y/Ka8KHFjIJxWo160znDsfsUc1y65zwb98eUgj2jIDyZmRIfop6oWuu6ndYpZme rTukDqYAel/sgQIz84vMZv0k7c/jGb6T6KszOnV3nvFoUrbP+SisCtOtvI4aWU0MagdH tyMQ== X-Gm-Message-State: AJaThX5bJZLHqAfDHeQS1nvZ8XRQhD/geyRuAxefTA2gMaQ3oVZfUNIT vQVbeMi6kjShAREWqP4143cBeA== X-Google-Smtp-Source: AGs4zMb/5SCJlWWjmchAv8uJu9RY1q5fjiy6HLqcY7hCjShfSIVf21njfASQJyjvS644Ycj/jAbcDQ== X-Received: by 10.28.5.196 with SMTP id 187mr4408943wmf.55.1510528523565; Sun, 12 Nov 2017 15:15:23 -0800 (PST) Received: from wildmoose.dk ([2a01:488:66:1000:57e6:57d1:0:1]) by smtp.gmail.com with ESMTPSA id o70sm48012169wrb.62.2017.11.12.15.15.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Nov 2017 15:15:23 -0800 (PST) From: Rasmus Villemoes To: "David S. Miller" Cc: Rasmus Villemoes , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/7] net: core: improve sanity checking in __dev_alloc_name Date: Mon, 13 Nov 2017 00:15:04 +0100 Message-Id: <20171112231511.4666-2-linux@rasmusvillemoes.dk> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171112231511.4666-1-linux@rasmusvillemoes.dk> References: <20171112231511.4666-1-linux@rasmusvillemoes.dk> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org __dev_alloc_name is called from the public (and exported) dev_alloc_name(), so we don't have a guarantee that strlen(name) is at most IFNAMSIZ. If somebody manages to get __dev_alloc_name called with a % char beyond the 31st character, we'd be making a snprintf() call that will very easily crash the kernel (using an appropriate %p extension, we'll likely dereference some completely bogus pointer). In the normal case where strlen() is sane, we don't even save anything by limiting to IFNAMSIZ, so just use strchr(). Signed-off-by: Rasmus Villemoes --- net/core/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/dev.c b/net/core/dev.c index 11596a302a26..87e19804757b 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1062,7 +1062,7 @@ static int __dev_alloc_name(struct net *net, const char *name, char *buf) unsigned long *inuse; struct net_device *d; - p = strnchr(name, IFNAMSIZ-1, '%'); + p = strchr(name, '%'); if (p) { /* * Verify the string as this thing may have come from