Netdev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH iproute2 0/2] tipc: input validation
@ 2021-05-01 16:32 Andrea Claudi
  2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
  2021-05-01 16:32 ` [PATCH iproute2 2/2] tipc: bail out if key " Andrea Claudi
  0 siblings, 2 replies; 4+ messages in thread
From: Andrea Claudi @ 2021-05-01 16:32 UTC (permalink / raw)
  To: netdev; +Cc: stephen, dsahern

This series fixes two buffer overflow on tipc due to missing input leght
validation on key and algname params.

Andrea Claudi (2):
  tipc: bail out if algname is abnormally long
  tipc: bail out if key is abnormally long

 tipc/misc.c | 3 +++
 tipc/node.c | 9 +++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

-- 
2.30.2


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long
  2021-05-01 16:32 [PATCH iproute2 0/2] tipc: input validation Andrea Claudi
@ 2021-05-01 16:32 ` Andrea Claudi
  2021-05-03 14:50   ` David Ahern
  2021-05-01 16:32 ` [PATCH iproute2 2/2] tipc: bail out if key " Andrea Claudi
  1 sibling, 1 reply; 4+ messages in thread
From: Andrea Claudi @ 2021-05-01 16:32 UTC (permalink / raw)
  To: netdev; +Cc: stephen, dsahern

tipc segfaults when called with an abnormally long algname:

$ tipc node set key 0x1234 algname supercalifragilistichespiralidososupercalifragilistichespiralidoso
*** buffer overflow detected ***: terminated

Fix this returning an error if provided algname is longer than
TIPC_AEAD_ALG_NAME.

Fixes: 24bee3bf9752 ("tipc: add new commands to set TIPC AEAD key")
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
---
 tipc/node.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/tipc/node.c b/tipc/node.c
index ae75bfff..bf592a07 100644
--- a/tipc/node.c
+++ b/tipc/node.c
@@ -236,10 +236,15 @@ get_ops:
 
 	/* Get algorithm name, default: "gcm(aes)" */
 	opt_algname = get_opt(opts, "algname");
-	if (!opt_algname)
+	if (!opt_algname) {
 		strcpy(input.key.alg_name, "gcm(aes)");
-	else
+	} else {
+		if (strlen(opt_algname->val) > TIPC_AEAD_ALG_NAME) {
+			fprintf(stderr, "error, invalid algname\n");
+			return -EINVAL;
+		}
 		strcpy(input.key.alg_name, opt_algname->val);
+	}
 
 	/* Get node identity */
 	opt_nodeid = get_opt(opts, "nodeid");
-- 
2.30.2


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH iproute2 2/2] tipc: bail out if key is abnormally long
  2021-05-01 16:32 [PATCH iproute2 0/2] tipc: input validation Andrea Claudi
  2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
@ 2021-05-01 16:32 ` Andrea Claudi
  1 sibling, 0 replies; 4+ messages in thread
From: Andrea Claudi @ 2021-05-01 16:32 UTC (permalink / raw)
  To: netdev; +Cc: stephen, dsahern

tipc segfaults when called with an abnormally long key:

$ tipc node set key 0123456789abcdef0123456789abcdef0123456789abcdef
*** buffer overflow detected ***: terminated

Fix this returning an error if key length is longer than
TIPC_AEAD_KEYLEN_MAX.

Fixes: 24bee3bf9752 ("tipc: add new commands to set TIPC AEAD key")
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
---
 tipc/misc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tipc/misc.c b/tipc/misc.c
index 1daf3072..909975d8 100644
--- a/tipc/misc.c
+++ b/tipc/misc.c
@@ -113,6 +113,9 @@ int str2key(char *str, struct tipc_aead_key *key)
 	    }
 	}
 
+	if (len > TIPC_AEAD_KEYLEN_MAX)
+		return -1;
+
 	/* Obtain key: */
 	if (!ishex) {
 		key->keylen = len;
-- 
2.30.2


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long
  2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
@ 2021-05-03 14:50   ` David Ahern
  0 siblings, 0 replies; 4+ messages in thread
From: David Ahern @ 2021-05-03 14:50 UTC (permalink / raw)
  To: Andrea Claudi, netdev, Tuong Lien; +Cc: stephen

[ cc author of Fixes commit ]

On 5/1/21 10:32 AM, Andrea Claudi wrote:
> tipc segfaults when called with an abnormally long algname:
> 
> $ tipc node set key 0x1234 algname supercalifragilistichespiralidososupercalifragilistichespiralidoso
> *** buffer overflow detected ***: terminated
> 
> Fix this returning an error if provided algname is longer than
> TIPC_AEAD_ALG_NAME.
> 
> Fixes: 24bee3bf9752 ("tipc: add new commands to set TIPC AEAD key")
> Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
> ---
>  tipc/node.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/tipc/node.c b/tipc/node.c
> index ae75bfff..bf592a07 100644
> --- a/tipc/node.c
> +++ b/tipc/node.c
> @@ -236,10 +236,15 @@ get_ops:
>  
>  	/* Get algorithm name, default: "gcm(aes)" */
>  	opt_algname = get_opt(opts, "algname");
> -	if (!opt_algname)
> +	if (!opt_algname) {
>  		strcpy(input.key.alg_name, "gcm(aes)");
> -	else
> +	} else {
> +		if (strlen(opt_algname->val) > TIPC_AEAD_ALG_NAME) {
> +			fprintf(stderr, "error, invalid algname\n");
> +			return -EINVAL;
> +		}
>  		strcpy(input.key.alg_name, opt_algname->val);
> +	}
>  
>  	/* Get node identity */
>  	opt_nodeid = get_opt(opts, "nodeid");
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-01 16:32 [PATCH iproute2 0/2] tipc: input validation Andrea Claudi
2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
2021-05-03 14:50   ` David Ahern
2021-05-01 16:32 ` [PATCH iproute2 2/2] tipc: bail out if key " Andrea Claudi

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git