netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net-next] pktgen: convert safe uses of strncpy() to strcpy() to avoid string truncation warning
@ 2018-07-17 21:32 Jakub Kicinski
  2018-07-18 22:24 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Jakub Kicinski @ 2018-07-17 21:32 UTC (permalink / raw)
  To: davem; +Cc: oss-drivers, netdev, Jakub Kicinski

GCC 8 complains:

net/core/pktgen.c: In function ‘pktgen_if_write’:
net/core/pktgen.c:1419:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
    strncpy(pkt_dev->src_max, buf, len);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/core/pktgen.c:1399:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
    strncpy(pkt_dev->src_min, buf, len);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/core/pktgen.c:1290:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
    strncpy(pkt_dev->dst_max, buf, len);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/core/pktgen.c:1268:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
    strncpy(pkt_dev->dst_min, buf, len);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There is no bug here, but the code is not perfect either.  It copies
sizeof(pkt_dev->/member/) - 1 from user space into buf, and then does
a strcmp(pkt_dev->/member/, buf) hence assuming buf will be null-terminated
and shorter than pkt_dev->/member/ (pkt_dev->/member/ is never
explicitly null-terminated, and strncpy() doesn't have to null-terminate
so the assumption must be on buf).  The use of strncpy() without explicit
null-termination looks suspicious.  Convert to use straight strcpy().

strncpy() would also null-pad the output, but that's clearly unnecessary
since the author calls memset(pkt_dev->/member/, 0, sizeof(..)); prior
to strncpy(), anyway.

While at it format the code for "dst_min", "dst_max", "src_min" and
"src_max" in the same way by removing extra new lines in one case.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Jiong Wang <jiong.wang@netronome.com>
---
 net/core/pktgen.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 49368e21d228..308ed04984de 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1265,7 +1265,7 @@ static ssize_t pktgen_if_write(struct file *file,
 		buf[len] = 0;
 		if (strcmp(buf, pkt_dev->dst_min) != 0) {
 			memset(pkt_dev->dst_min, 0, sizeof(pkt_dev->dst_min));
-			strncpy(pkt_dev->dst_min, buf, len);
+			strcpy(pkt_dev->dst_min, buf);
 			pkt_dev->daddr_min = in_aton(pkt_dev->dst_min);
 			pkt_dev->cur_daddr = pkt_dev->daddr_min;
 		}
@@ -1280,14 +1280,12 @@ static ssize_t pktgen_if_write(struct file *file,
 		if (len < 0)
 			return len;
 
-
 		if (copy_from_user(buf, &user_buffer[i], len))
 			return -EFAULT;
-
 		buf[len] = 0;
 		if (strcmp(buf, pkt_dev->dst_max) != 0) {
 			memset(pkt_dev->dst_max, 0, sizeof(pkt_dev->dst_max));
-			strncpy(pkt_dev->dst_max, buf, len);
+			strcpy(pkt_dev->dst_max, buf);
 			pkt_dev->daddr_max = in_aton(pkt_dev->dst_max);
 			pkt_dev->cur_daddr = pkt_dev->daddr_max;
 		}
@@ -1396,7 +1394,7 @@ static ssize_t pktgen_if_write(struct file *file,
 		buf[len] = 0;
 		if (strcmp(buf, pkt_dev->src_min) != 0) {
 			memset(pkt_dev->src_min, 0, sizeof(pkt_dev->src_min));
-			strncpy(pkt_dev->src_min, buf, len);
+			strcpy(pkt_dev->src_min, buf);
 			pkt_dev->saddr_min = in_aton(pkt_dev->src_min);
 			pkt_dev->cur_saddr = pkt_dev->saddr_min;
 		}
@@ -1416,7 +1414,7 @@ static ssize_t pktgen_if_write(struct file *file,
 		buf[len] = 0;
 		if (strcmp(buf, pkt_dev->src_max) != 0) {
 			memset(pkt_dev->src_max, 0, sizeof(pkt_dev->src_max));
-			strncpy(pkt_dev->src_max, buf, len);
+			strcpy(pkt_dev->src_max, buf);
 			pkt_dev->saddr_max = in_aton(pkt_dev->src_max);
 			pkt_dev->cur_saddr = pkt_dev->saddr_max;
 		}
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH net-next] pktgen: convert safe uses of strncpy() to strcpy() to avoid string truncation warning
  2018-07-17 21:32 [PATCH net-next] pktgen: convert safe uses of strncpy() to strcpy() to avoid string truncation warning Jakub Kicinski
@ 2018-07-18 22:24 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-07-18 22:24 UTC (permalink / raw)
  To: jakub.kicinski; +Cc: oss-drivers, netdev

From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Tue, 17 Jul 2018 14:32:24 -0700

> GCC 8 complains:
> 
> net/core/pktgen.c: In function ‘pktgen_if_write’:
> net/core/pktgen.c:1419:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
>     strncpy(pkt_dev->src_max, buf, len);
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> net/core/pktgen.c:1399:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
>     strncpy(pkt_dev->src_min, buf, len);
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> net/core/pktgen.c:1290:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
>     strncpy(pkt_dev->dst_max, buf, len);
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> net/core/pktgen.c:1268:4: warning: ‘strncpy’ output may be truncated copying between 0 and 31 bytes from a string of length 127 [-Wstringop-truncation]
>     strncpy(pkt_dev->dst_min, buf, len);
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> There is no bug here, but the code is not perfect either.  It copies
> sizeof(pkt_dev->/member/) - 1 from user space into buf, and then does
> a strcmp(pkt_dev->/member/, buf) hence assuming buf will be null-terminated
> and shorter than pkt_dev->/member/ (pkt_dev->/member/ is never
> explicitly null-terminated, and strncpy() doesn't have to null-terminate
> so the assumption must be on buf).  The use of strncpy() without explicit
> null-termination looks suspicious.  Convert to use straight strcpy().
> 
> strncpy() would also null-pad the output, but that's clearly unnecessary
> since the author calls memset(pkt_dev->/member/, 0, sizeof(..)); prior
> to strncpy(), anyway.
> 
> While at it format the code for "dst_min", "dst_max", "src_min" and
> "src_max" in the same way by removing extra new lines in one case.
> 
> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
> Reviewed-by: Jiong Wang <jiong.wang@netronome.com>

Applied, thanks Jakub.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-18 23:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-17 21:32 [PATCH net-next] pktgen: convert safe uses of strncpy() to strcpy() to avoid string truncation warning Jakub Kicinski
2018-07-18 22:24 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).