All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] dns_resolver: assure that dns_query() result is null-terminated
@ 2014-06-07 17:56 Manuel Schölling
  2014-06-07 18:54 ` Trond Myklebust
  0 siblings, 1 reply; 10+ messages in thread
From: Manuel Schölling @ 2014-06-07 17:56 UTC (permalink / raw)
  To: davem; +Cc: jeffrey.t.kirsher, netdev, linux-kernel, Manuel Schölling

dns_query() credulously assumes that keys are null-terminated and
returns a copy of a memory block that is off by one.
---
 net/dns_resolver/dns_query.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index e7b6d53..53be635 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -149,7 +149,9 @@ int dns_query(const char *type, const char *name, size_t namelen,
 	if (!*_result)
 		goto put;
 
-	memcpy(*_result, upayload->data, len + 1);
+	memcpy(*_result, upayload->data, len);
+	*_result[len+1] = '\0';
+
 	if (_expiry)
 		*_expiry = rkey->expiry;
 
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 17:56 [PATCH] dns_resolver: assure that dns_query() result is null-terminated Manuel Schölling
@ 2014-06-07 18:54 ` Trond Myklebust
  2014-06-07 18:57   ` Manuel Schoelling
  2014-06-07 19:01   ` [PATCH v2] " Manuel Schölling
  0 siblings, 2 replies; 10+ messages in thread
From: Trond Myklebust @ 2014-06-07 18:54 UTC (permalink / raw)
  To: Manuel Schölling
  Cc: Miller David S., jeffrey.t.kirsher, netdev, Linux Kernel mailing list

On Sat, Jun 7, 2014 at 1:56 PM, Manuel Schölling
<manuel.schoelling@gmx.de> wrote:
> dns_query() credulously assumes that keys are null-terminated and
> returns a copy of a memory block that is off by one.
> ---
>  net/dns_resolver/dns_query.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
> index e7b6d53..53be635 100644
> --- a/net/dns_resolver/dns_query.c
> +++ b/net/dns_resolver/dns_query.c
> @@ -149,7 +149,9 @@ int dns_query(const char *type, const char *name, size_t namelen,
>         if (!*_result)
>                 goto put;
>
> -       memcpy(*_result, upayload->data, len + 1);
> +       memcpy(*_result, upayload->data, len);
> +       *_result[len+1] = '\0';

Off by one...

> +
>         if (_expiry)
>                 *_expiry = rkey->expiry;
>
> --
> 1.7.10.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/



-- 
Trond Myklebust

Linux NFS client maintainer, PrimaryData

trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 18:54 ` Trond Myklebust
@ 2014-06-07 18:57   ` Manuel Schoelling
  2014-06-07 19:01   ` [PATCH v2] " Manuel Schölling
  1 sibling, 0 replies; 10+ messages in thread
From: Manuel Schoelling @ 2014-06-07 18:57 UTC (permalink / raw)
  To: Trond Myklebust
  Cc: Miller David S., jeffrey.t.kirsher, netdev, Linux Kernel mailing list

LOL, that was stupid!
Sorry, I'll send a corrected version in a second...

On Sa, 2014-06-07 at 14:54 -0400, Trond Myklebust wrote:
> On Sat, Jun 7, 2014 at 1:56 PM, Manuel Schölling
> <manuel.schoelling@gmx.de> wrote:
> > dns_query() credulously assumes that keys are null-terminated and
> > returns a copy of a memory block that is off by one.
> > ---
> >  net/dns_resolver/dns_query.c |    4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
> > index e7b6d53..53be635 100644
> > --- a/net/dns_resolver/dns_query.c
> > +++ b/net/dns_resolver/dns_query.c
> > @@ -149,7 +149,9 @@ int dns_query(const char *type, const char *name, size_t namelen,
> >         if (!*_result)
> >                 goto put;
> >
> > -       memcpy(*_result, upayload->data, len + 1);
> > +       memcpy(*_result, upayload->data, len);
> > +       *_result[len+1] = '\0';
> 
> Off by one...
> 
> > +
> >         if (_expiry)
> >                 *_expiry = rkey->expiry;
> >
> > --
> > 1.7.10.4
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/
> 
> 
> 



^ permalink raw reply	[flat|nested] 10+ messages in thread
* [PATCH v2] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 18:54 ` Trond Myklebust
  2014-06-07 18:57   ` Manuel Schoelling
@ 2014-06-07 19:01   ` Manuel Schölling
  2014-06-07 21:42     ` David Rientjes
  2014-06-07 21:57     ` [PATCH v3] " Manuel Schölling
  1 sibling, 2 replies; 10+ messages in thread
From: Manuel Schölling @ 2014-06-07 19:01 UTC (permalink / raw)
  To: davem; +Cc: jeffrey.t.kirsher, netdev, linux-kernel, Manuel Schölling

dns_query() credulously assumes that keys are null-terminated and
returns a copy of a memory block that is off by one.
---
 net/dns_resolver/dns_query.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index e7b6d53..84871a2 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -145,11 +145,11 @@ int dns_query(const char *type, const char *name, size_t namelen,
 	len = upayload->datalen;
 
 	ret = -ENOMEM;
-	*_result = kmalloc(len + 1, GFP_KERNEL);
+	*_result = kzalloc(len + 1, GFP_KERNEL);
 	if (!*_result)
 		goto put;
 
-	memcpy(*_result, upayload->data, len + 1);
+	memcpy(*_result, upayload->data, len);
 	if (_expiry)
 		*_expiry = rkey->expiry;
 
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH v2] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 19:01   ` [PATCH v2] " Manuel Schölling
@ 2014-06-07 21:42     ` David Rientjes
  2014-06-07 21:53       ` Manuel Schoelling
  2014-06-07 21:57       ` Sergei Shtylyov
  2014-06-07 21:57     ` [PATCH v3] " Manuel Schölling
  1 sibling, 2 replies; 10+ messages in thread
From: David Rientjes @ 2014-06-07 21:42 UTC (permalink / raw)
  To: Manuel Schölling; +Cc: davem, jeffrey.t.kirsher, netdev, linux-kernel

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1155 bytes --]

On Sat, 7 Jun 2014, Manuel Schölling wrote:

> dns_query() credulously assumes that keys are null-terminated and
> returns a copy of a memory block that is off by one.

No sign-off?  Please read Documentation/SubmittingPatches.

> ---
>  net/dns_resolver/dns_query.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
> index e7b6d53..84871a2 100644
> --- a/net/dns_resolver/dns_query.c
> +++ b/net/dns_resolver/dns_query.c
> @@ -145,11 +145,11 @@ int dns_query(const char *type, const char *name, size_t namelen,
>  	len = upayload->datalen;
>  
>  	ret = -ENOMEM;
> -	*_result = kmalloc(len + 1, GFP_KERNEL);
> +	*_result = kzalloc(len + 1, GFP_KERNEL);
>  	if (!*_result)
>  		goto put;
>  
> -	memcpy(*_result, upayload->data, len + 1);
> +	memcpy(*_result, upayload->data, len);
>  	if (_expiry)
>  		*_expiry = rkey->expiry;
>  

kzalloc() would be unnecessary overhead (zeroing definitely comes with a 
cost) if you're going to copy to the memory immediately afterwards.  Just 
leave the kmalloc(), do the memcpy() and explicitly zero terminate it 
_result.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH v2] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 21:42     ` David Rientjes
@ 2014-06-07 21:53       ` Manuel Schoelling
  2014-06-07 22:02         ` David Rientjes
  2014-06-07 21:57       ` Sergei Shtylyov
  1 sibling, 1 reply; 10+ messages in thread
From: Manuel Schoelling @ 2014-06-07 21:53 UTC (permalink / raw)
  To: David Rientjes; +Cc: davem, jeffrey.t.kirsher, netdev, linux-kernel

On Sa, 2014-06-07 at 14:42 -0700, David Rientjes wrote:
> On Sat, 7 Jun 2014, Manuel Schölling wrote:
> 
> > dns_query() credulously assumes that keys are null-terminated and
> > returns a copy of a memory block that is off by one.
> 
> No sign-off?  Please read Documentation/SubmittingPatches.
It's just not my day today.
Sorry, I forgot about the sign-off.

> > ---
> >  net/dns_resolver/dns_query.c |    4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
> > index e7b6d53..84871a2 100644
> > --- a/net/dns_resolver/dns_query.c
> > +++ b/net/dns_resolver/dns_query.c
> > @@ -145,11 +145,11 @@ int dns_query(const char *type, const char *name, size_t namelen,
> >  	len = upayload->datalen;
> >  
> >  	ret = -ENOMEM;
> > -	*_result = kmalloc(len + 1, GFP_KERNEL);
> > +	*_result = kzalloc(len + 1, GFP_KERNEL);
> >  	if (!*_result)
> >  		goto put;
> >  
> > -	memcpy(*_result, upayload->data, len + 1);
> > +	memcpy(*_result, upayload->data, len);
> >  	if (_expiry)
> >  		*_expiry = rkey->expiry;
> >  
> 
> kzalloc() would be unnecessary overhead (zeroing definitely comes with a 
> cost) if you're going to copy to the memory immediately afterwards.  Just 
> leave the kmalloc(), do the memcpy() and explicitly zero terminate it 
> _result.

Using kzalloc() was suggested of a developer on IRC (#kernelnewbies) but
if you prefer kmalloc, that's ok, too.
I'll send you a corrected patch in a second.



^ permalink raw reply	[flat|nested] 10+ messages in thread
* [PATCH v3] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 19:01   ` [PATCH v2] " Manuel Schölling
  2014-06-07 21:42     ` David Rientjes
@ 2014-06-07 21:57     ` Manuel Schölling
  2014-06-11  7:12       ` David Miller
  1 sibling, 1 reply; 10+ messages in thread
From: Manuel Schölling @ 2014-06-07 21:57 UTC (permalink / raw)
  To: davem; +Cc: jeffrey.t.kirsher, netdev, linux-kernel, Manuel Schölling

dns_query() credulously assumes that keys are null-terminated and
returns a copy of a memory block that is off by one.

Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>
---
 net/dns_resolver/dns_query.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index e7b6d53..6853d22 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -149,7 +149,9 @@ int dns_query(const char *type, const char *name, size_t namelen,
 	if (!*_result)
 		goto put;
 
-	memcpy(*_result, upayload->data, len + 1);
+	memcpy(*_result, upayload->data, len);
+	*_result[len] = '\0';
+
 	if (_expiry)
 		*_expiry = rkey->expiry;
 
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH v2] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 21:42     ` David Rientjes
  2014-06-07 21:53       ` Manuel Schoelling
@ 2014-06-07 21:57       ` Sergei Shtylyov
  1 sibling, 0 replies; 10+ messages in thread
From: Sergei Shtylyov @ 2014-06-07 21:57 UTC (permalink / raw)
  To: Manuel Schölling
  Cc: David Rientjes, davem, jeffrey.t.kirsher, netdev, linux-kernel

On 06/08/2014 01:42 AM, David Rientjes wrote:

>> dns_query() credulously assumes that keys are null-terminated and
>> returns a copy of a memory block that is off by one.

> No sign-off?  Please read Documentation/SubmittingPatches.

>> ---
>>   net/dns_resolver/dns_query.c |    4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
>> index e7b6d53..84871a2 100644
>> --- a/net/dns_resolver/dns_query.c
>> +++ b/net/dns_resolver/dns_query.c
>> @@ -145,11 +145,11 @@ int dns_query(const char *type, const char *name, size_t namelen,
>>   	len = upayload->datalen;
>>
>>   	ret = -ENOMEM;
>> -	*_result = kmalloc(len + 1, GFP_KERNEL);
>> +	*_result = kzalloc(len + 1, GFP_KERNEL);
>>   	if (!*_result)
>>   		goto put;
>>
>> -	memcpy(*_result, upayload->data, len + 1);
>> +	memcpy(*_result, upayload->data, len);
>>   	if (_expiry)
>>   		*_expiry = rkey->expiry;

> kzalloc() would be unnecessary overhead (zeroing definitely comes with a
> cost) if you're going to copy to the memory immediately afterwards.  Just
> leave the kmalloc(), do the memcpy() and explicitly zero terminate it
> _result.

    You can also replace kmalloc()/memcpy() with kmemdup().

WBR, Sergei


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH v2] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 21:53       ` Manuel Schoelling
@ 2014-06-07 22:02         ` David Rientjes
  0 siblings, 0 replies; 10+ messages in thread
From: David Rientjes @ 2014-06-07 22:02 UTC (permalink / raw)
  To: Manuel Schoelling; +Cc: davem, jeffrey.t.kirsher, netdev, linux-kernel

On Sat, 7 Jun 2014, Manuel Schoelling wrote:

> > kzalloc() would be unnecessary overhead (zeroing definitely comes with a 
> > cost) if you're going to copy to the memory immediately afterwards.  Just 
> > leave the kmalloc(), do the memcpy() and explicitly zero terminate it 
> > _result.
> 
> Using kzalloc() was suggested of a developer on IRC (#kernelnewbies) but
> if you prefer kmalloc, that's ok, too.
> I'll send you a corrected patch in a second.
> 

Using kzalloc() here instead of kmalloc() is functionally equivalent to

	if (*_result) {
		memset(*_result, 0, len + 1);
		memcpy(*_result, upayload->data, len);
	}

so for anything with len > 1 there is an unnecessary overhead in doing 
this.  k?alloc() can return object sizes larger than len + 1 here as well 
(usually power-of-2 sizes are supported by the slab allocator) so 
depending on the value of len, you may be zeroing more memory than 
copying.

Your first patch had the right idea, it's just off by one.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH v3] dns_resolver: assure that dns_query() result is null-terminated
  2014-06-07 21:57     ` [PATCH v3] " Manuel Schölling
@ 2014-06-11  7:12       ` David Miller
  0 siblings, 0 replies; 10+ messages in thread
From: David Miller @ 2014-06-11  7:12 UTC (permalink / raw)
  To: manuel.schoelling; +Cc: jeffrey.t.kirsher, netdev, linux-kernel

From: Manuel Schölling <manuel.schoelling@gmx.de>
Date: Sat,  7 Jun 2014 23:57:25 +0200

> dns_query() credulously assumes that keys are null-terminated and
> returns a copy of a memory block that is off by one.
> 
> Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>

Applied, thanks.

^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-06-11  7:12 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-07 17:56 [PATCH] dns_resolver: assure that dns_query() result is null-terminated Manuel Schölling
2014-06-07 18:54 ` Trond Myklebust
2014-06-07 18:57   ` Manuel Schoelling
2014-06-07 19:01   ` [PATCH v2] " Manuel Schölling
2014-06-07 21:42     ` David Rientjes
2014-06-07 21:53       ` Manuel Schoelling
2014-06-07 22:02         ` David Rientjes
2014-06-07 21:57       ` Sergei Shtylyov
2014-06-07 21:57     ` [PATCH v3] " Manuel Schölling
2014-06-11  7:12       ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.