Message ID | YM33YmacZTH820Cv@mwanda |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [net-next] netfilter: nfnetlink_hook: fix check for snprintf() overflow | expand |
Dan Carpenter <dan.carpenter@oracle.com> wrote: > The kernel version of snprintf() can't return negatives. The > "ret > (int)sizeof(sym)" check is off by one because and it should be > >=. Finally, we need to set a negative error code. Reviewed-by: Florian Westphal <fw@strlen.de>
On Sat, Jun 19, 2021 at 04:55:46PM +0300, Dan Carpenter wrote: > The kernel version of snprintf() can't return negatives. The > "ret > (int)sizeof(sym)" check is off by one because and it should be > >=. Finally, we need to set a negative error code. Applied, thanks.
diff --git a/net/netfilter/nfnetlink_hook.c b/net/netfilter/nfnetlink_hook.c index 58fda6ac663b..50b4e3c9347a 100644 --- a/net/netfilter/nfnetlink_hook.c +++ b/net/netfilter/nfnetlink_hook.c @@ -126,8 +126,10 @@ static int nfnl_hook_dump_one(struct sk_buff *nlskb, #ifdef CONFIG_KALLSYMS ret = snprintf(sym, sizeof(sym), "%ps", ops->hook); - if (ret < 0 || ret > (int)sizeof(sym)) + if (ret >= sizeof(sym)) { + ret = -EINVAL; goto nla_put_failure; + } module_name = strstr(sym, " ["); if (module_name) {