linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] tipc: fix an infoleak in tipc_nl_compat_link_dump
@ 2016-06-02  8:04 Kangjie Lu
  2016-06-03  4:32 ` David Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Kangjie Lu @ 2016-06-02  8:04 UTC (permalink / raw)
  To: jon.maloy
  Cc: ying.xue, davem, netdev, linux-kernel, taesoo, csong84, Kangjie Lu

link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
---
 net/tipc/netlink_compat.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index f795b1d..2518014 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -604,7 +604,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
 
 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
-	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
+	nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]),
+		    TIPC_MAX_LINK_NAME);
 
 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
 			    &link_info, sizeof(link_info));
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] tipc: fix an infoleak in tipc_nl_compat_link_dump
  2016-06-02  8:04 [PATCH] tipc: fix an infoleak in tipc_nl_compat_link_dump Kangjie Lu
@ 2016-06-03  4:32 ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2016-06-03  4:32 UTC (permalink / raw)
  To: kangjielu
  Cc: jon.maloy, ying.xue, netdev, linux-kernel, taesoo, csong84, kjlu

From: Kangjie Lu <kangjielu@gmail.com>
Date: Thu,  2 Jun 2016 04:04:56 -0400

> link_info.str is a char array of size 60. Memory after the NULL
> byte is not initialized. Sending the whole object out can cause
> a leak.
> 
> Signed-off-by: Kangjie Lu <kjlu@gatech.edu>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] tipc: fix an infoleak in tipc_nl_compat_link_dump
  2016-06-01 16:34 Kangjie Lu
@ 2016-06-02  6:32 ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2016-06-02  6:32 UTC (permalink / raw)
  To: kangjielu
  Cc: jon.maloy, ying.xue, netdev, linux-kernel, taesoo, csong84, kjlu

From: Kangjie Lu <kangjielu@gmail.com>
Date: Wed,  1 Jun 2016 12:34:55 -0400

> diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
> index f795b1d..115aafa 100644
> --- a/net/tipc/netlink_compat.c
> +++ b/net/tipc/netlink_compat.c
> @@ -604,6 +604,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
>  
>  	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
>  	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
> +	memset((void *)link_info.str, 0, TIPC_MAX_LINK_NAME);
>  	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
>  

Please instead use "nla_strlcpy()".

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH] tipc: fix an infoleak in tipc_nl_compat_link_dump
@ 2016-06-01 16:34 Kangjie Lu
  2016-06-02  6:32 ` David Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Kangjie Lu @ 2016-06-01 16:34 UTC (permalink / raw)
  To: jon.maloy
  Cc: ying.xue, davem, netdev, linux-kernel, taesoo, csong84, Kangjie Lu

link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
---
 net/tipc/netlink_compat.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index f795b1d..115aafa 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -604,6 +604,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
 
 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
+	memset((void *)link_info.str, 0, TIPC_MAX_LINK_NAME);
 	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
 
 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-06-03  4:33 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-02  8:04 [PATCH] tipc: fix an infoleak in tipc_nl_compat_link_dump Kangjie Lu
2016-06-03  4:32 ` David Miller
  -- strict thread matches above, loose matches on Subject: below --
2016-06-01 16:34 Kangjie Lu
2016-06-02  6:32 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).