All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing
@ 2021-02-16 16:50 Sabrina Dubroca
  2021-03-08 11:30 ` Sabrina Dubroca
  2021-03-08 17:18 ` Stephen Hemminger
  0 siblings, 2 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2021-02-16 16:50 UTC (permalink / raw)
  To: netdev; +Cc: dsahern, stephen, Sabrina Dubroca, Paul Wouters

Security context names are not guaranteed to be NUL-terminated by the
kernel, so we can't just print them using %s directly. The length of
the string is capped by the size of the netlink attribute (u16), so it
will always fit within 65535 bytes.

While at it, factor that out to a separate function, since the exact
same code is used to print the security context for both policies and
states.

Fixes: b2bb289a57fe ("xfrm security context support")
Reported-by: Paul Wouters <pwouters@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 ip/ipxfrm.c | 46 ++++++++++++++++++++--------------------------
 1 file changed, 20 insertions(+), 26 deletions(-)

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index e4a72bd06778..3fc0e13ef112 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -916,6 +916,22 @@ static int xfrm_selector_iszero(struct xfrm_selector *s)
 	return (memcmp(&s0, s, sizeof(s0)) == 0);
 }
 
+static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr)
+{
+	struct xfrm_user_sec_ctx *sctx;
+	char buf[65536] = {};
+
+	fprintf(fp, "\tsecurity context ");
+
+	if (RTA_PAYLOAD(attr) < sizeof(*sctx))
+		fprintf(fp, "(ERROR truncated)");
+
+	sctx = RTA_DATA(attr);
+
+	memcpy(buf, (char *)(sctx + 1), sctx->ctx_len);
+	fprintf(fp, "%s %s", buf, _SL_);
+}
+
 void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 			    struct rtattr *tb[], FILE *fp, const char *prefix,
 			    const char *title, bool nokeys)
@@ -983,19 +999,8 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		xfrm_stats_print(&xsinfo->stats, fp, buf);
 	}
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
-	}
-
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 }
 
 void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -1006,19 +1011,8 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
 
 	xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s ", (char *)(sctx + 1));
-		fprintf(fp, "%s", _SL_);
-	}
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 
 	if (prefix)
 		strlcat(buf, prefix, sizeof(buf));
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing
  2021-02-16 16:50 [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing Sabrina Dubroca
@ 2021-03-08 11:30 ` Sabrina Dubroca
  2021-03-08 17:18 ` Stephen Hemminger
  1 sibling, 0 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2021-03-08 11:30 UTC (permalink / raw)
  To: netdev; +Cc: dsahern, stephen, Paul Wouters

Hi Stephen/David,

2021-02-16, 17:50:58 +0100, Sabrina Dubroca wrote:
> Security context names are not guaranteed to be NUL-terminated by the
> kernel, so we can't just print them using %s directly. The length of
> the string is capped by the size of the netlink attribute (u16), so it
> will always fit within 65535 bytes.
> 
> While at it, factor that out to a separate function, since the exact
> same code is used to print the security context for both policies and
> states.

This patch ended up with "Changes Requested" in patchwork [1], even though
there has been no reply to it. Do I need to resend it?

[1] https://patchwork.kernel.org/project/netdevbpf/patch/11af39932b3896cf1a560059bcbd24194e7f33bd.1613473397.git.sd@queasysnail.net/

Thanks,

-- 
Sabrina


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing
  2021-02-16 16:50 [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing Sabrina Dubroca
  2021-03-08 11:30 ` Sabrina Dubroca
@ 2021-03-08 17:18 ` Stephen Hemminger
  2021-03-09 15:44   ` [PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing Sabrina Dubroca
  1 sibling, 1 reply; 4+ messages in thread
From: Stephen Hemminger @ 2021-03-08 17:18 UTC (permalink / raw)
  To: Sabrina Dubroca; +Cc: netdev, dsahern, Paul Wouters

On Tue, 16 Feb 2021 17:50:58 +0100
Sabrina Dubroca <sd@queasysnail.net> wrote:

> +static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr)
> +{
> +	struct xfrm_user_sec_ctx *sctx;
> +	char buf[65536] = {};
> +
> +	fprintf(fp, "\tsecurity context ");
> +
> +	if (RTA_PAYLOAD(attr) < sizeof(*sctx))
> +		fprintf(fp, "(ERROR truncated)");
> +
> +	sctx = RTA_DATA(attr);
> +
> +	memcpy(buf, (char *)(sctx + 1), sctx->ctx_len);
> +	fprintf(fp, "%s %s", buf, _SL_);
> +}

The copy buffer is not needed. Use the printf precision as
a mechanism instead.

         fprintf(fp, "%.*s %s", sctx->ctx_len, (char *)(sctx + 1));


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing
  2021-03-08 17:18 ` Stephen Hemminger
@ 2021-03-09 15:44   ` Sabrina Dubroca
  0 siblings, 0 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2021-03-09 15:44 UTC (permalink / raw)
  To: netdev; +Cc: dsahern, stephen, Sabrina Dubroca, Paul Wouters

Security context names are not guaranteed to be NUL-terminated by the
kernel, so we can't just print them using %s directly. The length of
the string is determined by sctx->ctx_len, so we can use that to limit
what fprintf outputs.

While at it, factor that out to a separate function, since the exact
same code is used to print the security context for both policies and
states.

Fixes: b2bb289a57fe ("xfrm security context support")
Reported-by: Paul Wouters <pwouters@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
v2: drop the memcpy and use %.*s, suggested by Stephen Hemminger

 ip/ipxfrm.c | 43 +++++++++++++++++--------------------------
 1 file changed, 17 insertions(+), 26 deletions(-)

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index e4a72bd06778..8a794032cf12 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -916,6 +916,19 @@ static int xfrm_selector_iszero(struct xfrm_selector *s)
 	return (memcmp(&s0, s, sizeof(s0)) == 0);
 }
 
+static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr)
+{
+	struct xfrm_user_sec_ctx *sctx;
+
+	fprintf(fp, "\tsecurity context ");
+
+	if (RTA_PAYLOAD(attr) < sizeof(*sctx))
+		fprintf(fp, "(ERROR truncated)");
+
+	sctx = RTA_DATA(attr);
+	fprintf(fp, "%.*s %s", sctx->ctx_len, (char *)(sctx + 1), _SL_);
+}
+
 void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 			    struct rtattr *tb[], FILE *fp, const char *prefix,
 			    const char *title, bool nokeys)
@@ -983,19 +996,8 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		xfrm_stats_print(&xsinfo->stats, fp, buf);
 	}
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
-	}
-
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 }
 
 void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -1006,19 +1008,8 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
 
 	xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
 
-	if (tb[XFRMA_SEC_CTX]) {
-		struct xfrm_user_sec_ctx *sctx;
-
-		fprintf(fp, "\tsecurity context ");
-
-		if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-			fprintf(fp, "(ERROR truncated)");
-
-		sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-		fprintf(fp, "%s ", (char *)(sctx + 1));
-		fprintf(fp, "%s", _SL_);
-	}
+	if (tb[XFRMA_SEC_CTX])
+		xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 
 	if (prefix)
 		strlcat(buf, prefix, sizeof(buf));
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-09 15:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-16 16:50 [PATCH iproute2] ip: xfrm: add NUL character to security context name before printing Sabrina Dubroca
2021-03-08 11:30 ` Sabrina Dubroca
2021-03-08 17:18 ` Stephen Hemminger
2021-03-09 15:44   ` [PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing Sabrina Dubroca

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.