* [PATCH iproute2 0/2] tipc: input validation
@ 2021-05-01 16:32 Andrea Claudi
2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
2021-05-01 16:32 ` [PATCH iproute2 2/2] tipc: bail out if key " Andrea Claudi
0 siblings, 2 replies; 5+ messages in thread
From: Andrea Claudi @ 2021-05-01 16:32 UTC (permalink / raw)
To: netdev; +Cc: stephen, dsahern
This series fixes two buffer overflow on tipc due to missing input leght
validation on key and algname params.
Andrea Claudi (2):
tipc: bail out if algname is abnormally long
tipc: bail out if key is abnormally long
tipc/misc.c | 3 +++
tipc/node.c | 9 +++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long
2021-05-01 16:32 [PATCH iproute2 0/2] tipc: input validation Andrea Claudi
@ 2021-05-01 16:32 ` Andrea Claudi
2021-05-03 14:50 ` David Ahern
2021-05-09 22:10 ` David Ahern
2021-05-01 16:32 ` [PATCH iproute2 2/2] tipc: bail out if key " Andrea Claudi
1 sibling, 2 replies; 5+ messages in thread
From: Andrea Claudi @ 2021-05-01 16:32 UTC (permalink / raw)
To: netdev; +Cc: stephen, dsahern
tipc segfaults when called with an abnormally long algname:
$ tipc node set key 0x1234 algname supercalifragilistichespiralidososupercalifragilistichespiralidoso
*** buffer overflow detected ***: terminated
Fix this returning an error if provided algname is longer than
TIPC_AEAD_ALG_NAME.
Fixes: 24bee3bf9752 ("tipc: add new commands to set TIPC AEAD key")
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
---
tipc/node.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/tipc/node.c b/tipc/node.c
index ae75bfff..bf592a07 100644
--- a/tipc/node.c
+++ b/tipc/node.c
@@ -236,10 +236,15 @@ get_ops:
/* Get algorithm name, default: "gcm(aes)" */
opt_algname = get_opt(opts, "algname");
- if (!opt_algname)
+ if (!opt_algname) {
strcpy(input.key.alg_name, "gcm(aes)");
- else
+ } else {
+ if (strlen(opt_algname->val) > TIPC_AEAD_ALG_NAME) {
+ fprintf(stderr, "error, invalid algname\n");
+ return -EINVAL;
+ }
strcpy(input.key.alg_name, opt_algname->val);
+ }
/* Get node identity */
opt_nodeid = get_opt(opts, "nodeid");
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH iproute2 2/2] tipc: bail out if key is abnormally long
2021-05-01 16:32 [PATCH iproute2 0/2] tipc: input validation Andrea Claudi
2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
@ 2021-05-01 16:32 ` Andrea Claudi
1 sibling, 0 replies; 5+ messages in thread
From: Andrea Claudi @ 2021-05-01 16:32 UTC (permalink / raw)
To: netdev; +Cc: stephen, dsahern
tipc segfaults when called with an abnormally long key:
$ tipc node set key 0123456789abcdef0123456789abcdef0123456789abcdef
*** buffer overflow detected ***: terminated
Fix this returning an error if key length is longer than
TIPC_AEAD_KEYLEN_MAX.
Fixes: 24bee3bf9752 ("tipc: add new commands to set TIPC AEAD key")
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
---
tipc/misc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tipc/misc.c b/tipc/misc.c
index 1daf3072..909975d8 100644
--- a/tipc/misc.c
+++ b/tipc/misc.c
@@ -113,6 +113,9 @@ int str2key(char *str, struct tipc_aead_key *key)
}
}
+ if (len > TIPC_AEAD_KEYLEN_MAX)
+ return -1;
+
/* Obtain key: */
if (!ishex) {
key->keylen = len;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long
2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
@ 2021-05-03 14:50 ` David Ahern
2021-05-09 22:10 ` David Ahern
1 sibling, 0 replies; 5+ messages in thread
From: David Ahern @ 2021-05-03 14:50 UTC (permalink / raw)
To: Andrea Claudi, netdev, Tuong Lien; +Cc: stephen
[ cc author of Fixes commit ]
On 5/1/21 10:32 AM, Andrea Claudi wrote:
> tipc segfaults when called with an abnormally long algname:
>
> $ tipc node set key 0x1234 algname supercalifragilistichespiralidososupercalifragilistichespiralidoso
> *** buffer overflow detected ***: terminated
>
> Fix this returning an error if provided algname is longer than
> TIPC_AEAD_ALG_NAME.
>
> Fixes: 24bee3bf9752 ("tipc: add new commands to set TIPC AEAD key")
> Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
> ---
> tipc/node.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/tipc/node.c b/tipc/node.c
> index ae75bfff..bf592a07 100644
> --- a/tipc/node.c
> +++ b/tipc/node.c
> @@ -236,10 +236,15 @@ get_ops:
>
> /* Get algorithm name, default: "gcm(aes)" */
> opt_algname = get_opt(opts, "algname");
> - if (!opt_algname)
> + if (!opt_algname) {
> strcpy(input.key.alg_name, "gcm(aes)");
> - else
> + } else {
> + if (strlen(opt_algname->val) > TIPC_AEAD_ALG_NAME) {
> + fprintf(stderr, "error, invalid algname\n");
> + return -EINVAL;
> + }
> strcpy(input.key.alg_name, opt_algname->val);
> + }
>
> /* Get node identity */
> opt_nodeid = get_opt(opts, "nodeid");
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long
2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
2021-05-03 14:50 ` David Ahern
@ 2021-05-09 22:10 ` David Ahern
1 sibling, 0 replies; 5+ messages in thread
From: David Ahern @ 2021-05-09 22:10 UTC (permalink / raw)
To: Andrea Claudi, netdev; +Cc: stephen
On 5/1/21 10:32 AM, Andrea Claudi wrote:
> tipc segfaults when called with an abnormally long algname:
>
> $ tipc node set key 0x1234 algname supercalifragilistichespiralidososupercalifragilistichespiralidoso
> *** buffer overflow detected ***: terminated
>
> Fix this returning an error if provided algname is longer than
> TIPC_AEAD_ALG_NAME.
>
> Fixes: 24bee3bf9752 ("tipc: add new commands to set TIPC AEAD key")
> Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
> ---
> tipc/node.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
applied both, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-05-09 22:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-01 16:32 [PATCH iproute2 0/2] tipc: input validation Andrea Claudi
2021-05-01 16:32 ` [PATCH iproute2 1/2] tipc: bail out if algname is abnormally long Andrea Claudi
2021-05-03 14:50 ` David Ahern
2021-05-09 22:10 ` David Ahern
2021-05-01 16:32 ` [PATCH iproute2 2/2] tipc: bail out if key " Andrea Claudi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).