From patchwork Tue Feb 28 13:42:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 733537 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vXftV3K2kz9s7k for ; Wed, 1 Mar 2017 00:43:46 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="kJsl/P9W"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752060AbdB1Nni (ORCPT ); Tue, 28 Feb 2017 08:43:38 -0500 Received: from mail-pg0-f68.google.com ([74.125.83.68]:35762 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750957AbdB1Nng (ORCPT ); Tue, 28 Feb 2017 08:43:36 -0500 Received: by mail-pg0-f68.google.com with SMTP id 1so1602237pgz.2; Tue, 28 Feb 2017 05:42:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=oyTCO+wVbL5l7fZZPFKprvuYP8lHqbDElbyLpR26Jxc=; b=kJsl/P9Wk69rQL1nLt9Ll+rLxayQk9wxddMwwkOY3ujgLShaywYYJFq4Y/zyG5tQs2 vf/5bTxr30yUjbev6i/ItcJKYno9iYHgfPRMGiWhtk83nFUjI6gtsbiRHL5nAlLud1Lk OvvcTVUw5CahRW2lpvuwGHuFknCnLdp+EVLJmWipPaw4qMBcs4dwPAUNEP1A1KliHCuK 8GUv6gtWiyBSwkG2YaixH/UoOd3vDd/gP1dhWk2JRacPKkGP5PhMTCKRs7/12ixeR1U4 5mB8t6r6hjemWI9YHgDzpu233Kc3j1sraIXzY9mF/ySgDJZ6/mduKUpIondB47gLCLLD +0xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=oyTCO+wVbL5l7fZZPFKprvuYP8lHqbDElbyLpR26Jxc=; b=I0rqMlHGSNjQn4Ucex08SSJ54qz9MHppwAw9c5qawtRGCWJyFM+PGtRjkBOnj6+Gmn dvw5uQ3zbAP/ivdh/1e1SfZZmC2Mo/mOcKSWKdu+qmc5Y5vDs+k76xrsXJqViB91yt4G mKhZDREUpON6e0EQ1s4DE9r5Hd7G7wKTWw73zhcByxHzjcW/xRSUfjeg4unTH0FoFOn1 E1cgiH/IzccfI9/Ocd3nHpWTEKkoBzfVklRnvM3u2FKUt8dZ1Ey2tJW2EVfKPTHHVQiL lwP90cMRjkmjRaHP0gBNx8xauLXAJpm3lKX3v7TazGBI5BU5QDfts9ELrKm67Q1zIPJM Yumw== X-Gm-Message-State: AMke39m1W1ZtHKX7UHFAhMhsvY4h8Q0TYNY89fhruizqBT98W9axKU7ouDwoy/c3rJK/4w== X-Received: by 10.84.241.203 with SMTP id t11mr3188538plm.48.1488289374849; Tue, 28 Feb 2017 05:42:54 -0800 (PST) Received: from [172.29.160.156] ([172.29.160.156]) by smtp.googlemail.com with ESMTPSA id n63sm4533626pfk.64.2017.02.28.05.42.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Feb 2017 05:42:54 -0800 (PST) Message-ID: <1488289373.9415.251.camel@edumazet-glaptop3.roam.corp.google.com> Subject: Re: [PATCH] net: don't call strlen() on the user buffer in packet_bind_spkt() From: Eric Dumazet To: Alexander Potapenko Cc: dvyukov@google.com, kcc@google.com, edumazet@google.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Date: Tue, 28 Feb 2017 05:42:53 -0800 In-Reply-To: <1488288789.9415.249.camel@edumazet-glaptop3.roam.corp.google.com> References: <20170228131759.110380-1-glider@google.com> <1488288789.9415.249.camel@edumazet-glaptop3.roam.corp.google.com> X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Tue, 2017-02-28 at 05:33 -0800, Eric Dumazet wrote: > It looks a bug in this implementation of strlcpy() then. > Apparently strlcpy(dest, src, size) returns strlen(src), so we can not use it in this context. > sizeof(name) is 15. > > If you use strncpy(X, uaddr->sa_data, 15) , then you might access > uaddr->sa_data[14] and this would still be wrong, since sa_data has 14 > bytes only : > > > struct sockaddr { > sa_family_t sa_family; > char sa_data[14]; > }; Maybe then : diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 2bd0d1949312c3d71c4b33529316dcfe76fa28f1..d2e7caa79d2604363316c7316864bed1f4971d29 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3103,7 +3103,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, int addr_len) { struct sock *sk = sock->sk; - char name[15]; + char name[sizeof(uaddr->sa_data) + 1]; /* * Check legality @@ -3111,7 +3111,8 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, if (addr_len != sizeof(struct sockaddr)) return -EINVAL; - strlcpy(name, uaddr->sa_data, sizeof(name)); + memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data)); + name[sizeof(uaddr->sa_data)] = 0; return packet_do_bind(sk, name, 0, pkt_sk(sk)->num); }