[patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings
@ 2012-06-30 11:49 Dan Carpenter
  2012-07-02 10:09   ` David Laight
  0 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2012-06-30 11:49 UTC (permalink / raw)
  To: James E.J. Bottomley, Barak Witkowski
  Cc: Eddie Wai, Michael Chan, linux-scsi, netdev, David S. Miller

DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
12 bytes from the stack so it's a small information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This was just added to linux-next yesterday, but I'm not sure which tree
it came from.

diff --git a/drivers/scsi/bnx2i/bnx2i_init.c b/drivers/scsi/bnx2i/bnx2i_init.c
index 7729a52..b17637a 100644
--- a/drivers/scsi/bnx2i/bnx2i_init.c
+++ b/drivers/scsi/bnx2i/bnx2i_init.c
@@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
 	if (!stats)
 		return -ENOMEM;

-	memcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version));
+	strlcpy(stats->version, DRV_MODULE_VERSION, sizeof(stats->version));
 	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);

 	stats->max_frame_size = hba->netdev->mtu;

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* RE: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings
  2012-06-30 11:49 [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings Dan Carpenter
@ 2012-07-02 10:09   ` David Laight
  0 siblings, 0 replies; 7+ messages in thread
From: David Laight @ 2012-07-02 10:09 UTC (permalink / raw)
  To: Dan Carpenter, James E.J. Bottomley, Barak Witkowski
  Cc: Eddie Wai, Michael Chan, linux-scsi, netdev, David S. Miller

> Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
strings
> 
> DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> 12 bytes from the stack so it's a small information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This was just added to linux-next yesterday, but I'm not sure 
> which tree it came from.
> 
> diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> b/drivers/scsi/bnx2i/bnx2i_init.c
> index 7729a52..b17637a 100644
> --- a/drivers/scsi/bnx2i/bnx2i_init.c
> +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
>  	if (!stats)
>  		return -ENOMEM;
>  
> -	memcpy(stats->version, DRV_MODULE_VERSION,
sizeof(stats->version));
> +	strlcpy(stats->version, DRV_MODULE_VERSION,
sizeof(stats->version));
>  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);

Doesn't that leak the original contents of the last bytes of
stats->version instead?

	David

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings
@ 2012-07-02 10:09   ` David Laight
  0 siblings, 0 replies; 7+ messages in thread
From: David Laight @ 2012-07-02 10:09 UTC (permalink / raw)
  To: Dan Carpenter, James E.J. Bottomley, Barak Witkowski
  Cc: Eddie Wai, Michael Chan, linux-scsi, netdev, David S. Miller

> Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
strings
> 
> DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> 12 bytes from the stack so it's a small information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This was just added to linux-next yesterday, but I'm not sure 
> which tree it came from.
> 
> diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> b/drivers/scsi/bnx2i/bnx2i_init.c
> index 7729a52..b17637a 100644
> --- a/drivers/scsi/bnx2i/bnx2i_init.c
> +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
>  	if (!stats)
>  		return -ENOMEM;
>  
> -	memcpy(stats->version, DRV_MODULE_VERSION,
sizeof(stats->version));
> +	strlcpy(stats->version, DRV_MODULE_VERSION,
sizeof(stats->version));
>  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);

Doesn't that leak the original contents of the last bytes of
stats->version instead?

	David

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings
  2012-07-02 10:09   ` David Laight
  (?)
@ 2012-07-02 10:48   ` Dan Carpenter
  2012-07-02 15:13     ` Michael Chan
  -1 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2012-07-02 10:48 UTC (permalink / raw)
  To: David Laight
  Cc: James E.J. Bottomley, Barak Witkowski, Eddie Wai, Michael Chan,
	linux-scsi, netdev, David S. Miller

On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote:
> > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
> strings
> > 
> > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> > 12 bytes from the stack so it's a small information leak.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > This was just added to linux-next yesterday, but I'm not sure 
> > which tree it came from.
> > 
> > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> > b/drivers/scsi/bnx2i/bnx2i_init.c
> > index 7729a52..b17637a 100644
> > --- a/drivers/scsi/bnx2i/bnx2i_init.c
> > +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
> >  	if (!stats)
> >  		return -ENOMEM;
> >  
> > -	memcpy(stats->version, DRV_MODULE_VERSION,
> sizeof(stats->version));
> > +	strlcpy(stats->version, DRV_MODULE_VERSION,
> sizeof(stats->version));
> >  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);
> 
> Doesn't that leak the original contents of the last bytes of
> stats->version instead?

I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req().

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings
  2012-07-02 10:48   ` Dan Carpenter
@ 2012-07-02 15:13     ` Michael Chan
  2012-07-02 17:53       ` Eddie Wai
  2012-07-09  6:51       ` David Miller
  0 siblings, 2 replies; 7+ messages in thread
From: Michael Chan @ 2012-07-02 15:13 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: David Laight, James E.J. Bottomley, Barak Witkowski, Eddie Wai,
	linux-scsi, netdev, David S. Miller

On Mon, 2012-07-02 at 13:48 +0300, Dan Carpenter wrote: 
> On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote:
> > > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
> > strings
> > > 
> > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> > > 12 bytes from the stack so it's a small information leak.
> > > 
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > ---
> > > This was just added to linux-next yesterday, but I'm not sure 
> > > which tree it came from.
> > > 
> > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> > > b/drivers/scsi/bnx2i/bnx2i_init.c
> > > index 7729a52..b17637a 100644
> > > --- a/drivers/scsi/bnx2i/bnx2i_init.c
> > > +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> > > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
> > >  	if (!stats)
> > >  		return -ENOMEM;
> > >  
> > > -	memcpy(stats->version, DRV_MODULE_VERSION,
> > sizeof(stats->version));
> > > +	strlcpy(stats->version, DRV_MODULE_VERSION,
> > sizeof(stats->version));
> > >  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);
> > 
> > Doesn't that leak the original contents of the last bytes of
> > stats->version instead?
> 
> I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req().
> 

Yes, bnx2x zeros the whole stats structure, so strlcpy() is correct.

This came from the net-next tree, so David is the right persion to apply
this.  Thanks.

Acked-by: Michael Chan <mchan@broadcom.com>



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings
  2012-07-02 15:13     ` Michael Chan
@ 2012-07-02 17:53       ` Eddie Wai
  2012-07-09  6:51       ` David Miller
  1 sibling, 0 replies; 7+ messages in thread
From: Eddie Wai @ 2012-07-02 17:53 UTC (permalink / raw)
  To: Michael Chan
  Cc: Dan Carpenter, David Laight, James E.J. Bottomley,
	Barak Witkowski, linux-scsi, netdev, David S. Miller


On Mon, 2012-07-02 at 08:13 -0700, Michael Chan wrote:
> On Mon, 2012-07-02 at 13:48 +0300, Dan Carpenter wrote: 
> > On Mon, Jul 02, 2012 at 11:09:19AM +0100, David Laight wrote:
> > > > Subject: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for
> > > strings
> > > > 
> > > > DRV_MODULE_VERSION here is "2.7.2.2" which is only 8 chars but we copy
> > > > 12 bytes from the stack so it's a small information leak.
> > > > 
> > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > > ---
> > > > This was just added to linux-next yesterday, but I'm not sure 
> > > > which tree it came from.
> > > > 
> > > > diff --git a/drivers/scsi/bnx2i/bnx2i_init.c 
> > > > b/drivers/scsi/bnx2i/bnx2i_init.c
> > > > index 7729a52..b17637a 100644
> > > > --- a/drivers/scsi/bnx2i/bnx2i_init.c
> > > > +++ b/drivers/scsi/bnx2i/bnx2i_init.c
> > > > @@ -400,7 +400,7 @@ int bnx2i_get_stats(void *handle)
> > > >  	if (!stats)
> > > >  		return -ENOMEM;
> > > >  
> > > > -	memcpy(stats->version, DRV_MODULE_VERSION,
> > > sizeof(stats->version));
> > > > +	strlcpy(stats->version, DRV_MODULE_VERSION,
> > > sizeof(stats->version));
> > > >  	memcpy(stats->mac_add1 + 2, hba->cnic->mac_addr, ETH_ALEN);
> > > 
> > > Doesn't that leak the original contents of the last bytes of
> > > stats->version instead?
> > 
> > I'm pretty sure we set those to zero in bnx2x_handle_drv_info_req().
> > 
> 
> Yes, bnx2x zeros the whole stats structure, so strlcpy() is correct.
> 
> This came from the net-next tree, so David is the right persion to apply
> this.  Thanks.
> 
> Acked-by: Michael Chan <mchan@broadcom.com>
> 
True.  strlcpy() is the correct routine to use (instead of strncpy) as
this needs to be NULL terminated.  Thanks.

Acked-by: Eddie Wai <eddie.wai@broadcom.com>




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings
  2012-07-02 15:13     ` Michael Chan
  2012-07-02 17:53       ` Eddie Wai
@ 2012-07-09  6:51       ` David Miller
  1 sibling, 0 replies; 7+ messages in thread
From: David Miller @ 2012-07-09  6:51 UTC (permalink / raw)
  To: mchan
  Cc: dan.carpenter, David.Laight, JBottomley, barak, eddie.wai,
	linux-scsi, netdev

From: "Michael Chan" <mchan@broadcom.com>
Date: Mon, 2 Jul 2012 08:13:38 -0700

> This came from the net-next tree, so David is the right persion to apply
> this.  Thanks.
> 
> Acked-by: Michael Chan <mchan@broadcom.com>

Applied, thanks.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2012-07-09  6:51 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-06-30 11:49 [patch] [SCSI] bnx2i: use strlcpy() instead of memcpy() for strings Dan Carpenter
2012-07-02 10:09 ` David Laight
2012-07-02 10:09   ` David Laight
2012-07-02 10:48   ` Dan Carpenter
2012-07-02 15:13     ` Michael Chan
2012-07-02 17:53       ` Eddie Wai
2012-07-09  6:51       ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.