From: Kees Cook <keescook@chromium.org>
To: Justin Stitt <justinstitt@google.com>
Cc: Steve French <sfrench@samba.org>,
Paulo Alcantara <pc@manguebit.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>,
Shyam Prasad N <sprasad@microsoft.com>,
Tom Talpey <tom@talpey.com>, Bharath SM <bharathsm@microsoft.com>,
linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] smb: client: replace deprecated strncpy with strscpy
Date: Thu, 28 Mar 2024 20:44:08 -0700 [thread overview]
Message-ID: <202403282041.6A4E12EA@keescook> (raw)
In-Reply-To: <20240328-strncpy-fs-smb-client-cifssmb-c-v1-1-30d12bcf500d@google.com>
On Thu, Mar 28, 2024 at 09:44:48PM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
>
> In cifssmb.c:
> Using strncpy with a length argument equal to strlen(src) is generally
> dangerous because it can cause string buffers to not be NUL-terminated.
> In this case, however, there was extra effort made to ensure the buffer
> was NUL-terminated via a manual NUL-byte assignment. In an effort to rid
> the kernel of strncpy() use, let's swap over to using strscpy() which
> guarantees NUL-termination on the destination buffer.
>
> To handle the case where ea_name is NULL, let's use the ?: operator to
> substitute in an empty string, thereby allowing strscpy to still
> NUL-terminate the destintation string.
Yeah. And for the non-NULL case, namelen is 0-255. And 255 comes from
strnlen() as the limit of characters, so namelen + 1 will include the NUL
terminator.
> Interesting note: this flex array buffer may go on to also have some
> value encoded after the NUL-termination:
> | if (ea_value_len)
> | memcpy(parm_data->list.name + name_len + 1,
> | ea_value, ea_value_len);
>
> Now for smb2ops.c and smb2transport.c:
> Both of these cases are simple, strncpy() is used to copy string
> literals which have a length less than the destination buffer's size. We
> can simply swap in the new 2-argument version of strscpy() introduced in
> Commit e6584c3964f2f ("string: Allow 2-argument strscpy()").
>
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
prev parent reply other threads:[~2024-03-29 3:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 21:44 [PATCH] smb: client: replace deprecated strncpy with strscpy Justin Stitt
2024-03-29 3:44 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202403282041.6A4E12EA@keescook \
--to=keescook@chromium.org \
--cc=bharathsm@microsoft.com \
--cc=justinstitt@google.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pc@manguebit.com \
--cc=ronniesahlberg@gmail.com \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.