From patchwork Tue Jan 30 19:33:35 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Dickinson <cshored@thecshore.com>
X-Patchwork-Id: 867641
Return-Path: <openwrt-devel-bounces@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (helo) smtp.helo=arrakis.dune.hu
	(client-ip=78.24.191.176; helo=arrakis.dune.hu;
	envelope-from=openwrt-devel-bounces@lists.openwrt.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=thecshore.com header.i=@thecshore.com
	header.b="jg+bJaw7"; dkim-atps=neutral
Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3zWGly0GtTz9sDB
	for <incoming@patchwork.ozlabs.org>;
	Wed, 31 Jan 2018 06:34:19 +1100 (AEDT)
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id 33B95B90FC6;
	Tue, 30 Jan 2018 20:34:14 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on arrakis.dune.hu
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,T_DKIM_INVALID
	autolearn=unavailable autolearn_force=no version=3.4.1
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP;
	Tue, 30 Jan 2018 20:34:14 +0100 (CET)
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id 1B218B90F6F
	for <openwrt-devel@lists.openwrt.org>;
	Tue, 30 Jan 2018 20:34:13 +0100 (CET)
X-policyd-weight: using cached result; rate: -6.1
Received: from mail.thecshore.com (mail.thecshore.com [144.217.14.6])
	by arrakis.dune.hu (Postfix) with ESMTP
	for <openwrt-devel@lists.openwrt.org>;
	Tue, 30 Jan 2018 20:34:12 +0100 (CET)
Received: from workhobbyl.thecshore.com (135-23-247-100.cpe.pppoe.ca
	[135.23.247.100])
	by mail.thecshore.com (Postfix) with ESMTPSA id 7CCE32657;
	Tue, 30 Jan 2018 14:34:11 -0500 (EST)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.thecshore.com 7CCE32657
Authentication-Results: mail.thecshore.com;
	dmarc=none (p=none dis=none) header.from=thecshore.com
Authentication-Results: mail.thecshore.com;
	spf=fail smtp.mailfrom=cshored@thecshore.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.thecshore.com 7CCE32657
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thecshore.com;
	s=default; t=1517340851;
	bh=ijQWDyHpUB8fWHgXhy2Gz5hxsheJZeVzYAXfO96+pZA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=jg+bJaw7jnD+dlWs9PXKi7oC9YoGhI+rewmzqoz9F24b+MUpPvin2AtpEDLWetWoX
	W4o544BnfyYwX4XVDHDPCuD2ldcWapDXw3MeqnOK02CCBKQMA3rmltlf8dlsGt0hPU
	hjYfMyI26lUMfCUD/FdkBhlQPF1nTWa4OUs3f+wU=
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at mail.thecshore.com
From: cshored@thecshore.com
To: openwrt-devel@lists.openwrt.org
Date: Tue, 30 Jan 2018 14:33:35 -0500
Message-Id: <20180130193335.22225-1-cshored@thecshore.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180130181649.17813-1-cshored@thecshore.com>
References: <20180130181649.17813-1-cshored@thecshore.com>
Subject: [OpenWrt-Devel] [PATCH v2] vlan: Buffer overlow in snprintf for
	vlans
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: openwrt-devel-bounces@lists.openwrt.org
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

From: "Daniel F. Dickinson" <cshored@thecshore.com>

Ok, found a way to test the long end of the range, and fixed
the off by 2 error in the last patch.  Stil more informational,
but I hope you find it useful.

Buffer overlflow condition can occur because vlan
device name is constructed from device name (size IFNAMSIZ)
plus the ASCII decimal representation of the vlan id plus
a dot, but the target can only be IFNAMSIZ.  We fix this
by using fields widths (and make sure we don't truncate
more of the orogin device name than we must).

Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
---
 vlan.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/vlan.c b/vlan.c
index 067f624..eb20b13 100644
--- a/vlan.c
+++ b/vlan.c
@@ -64,9 +64,19 @@ static int vlan_set_device_state(struct device *dev, bool up)
 static void vlan_dev_set_name(struct vlan_device *vldev, struct device *dev)
 {
 	char name[IFNAMSIZ];
+	char devnum[5];
+	int i, j = 0;
 
 	vldev->dev.hidden = dev->hidden;
-	snprintf(name, IFNAMSIZ, "%s.%d", dev->ifname, vldev->id);
+	snprintf(devnum, 5, "%d", vldev->id);
+	i = strnlen(devnum, 4);
+	/* Subtract the dot and terminating null */
+	j = IFNAMSIZ - i - 3;
+	/* Brute force the null and length and 0-index math */
+	name[0] = 0;
+	strncat(name, dev->ifname, j);
+	strncat(name, ".", 1);
+	strncat(name, devnum, i);
 	device_set_ifname(&vldev->dev, name);
 }