tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

tipc: guard against string buffer overrun

Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.

.../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
.../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)

This does seem to be the case so guard against this possibility by using
strscpy() and failing if truncation occurs.

Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")

Compile tested only.

Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Simon Horman and committed by
Jakub Kicinski 6555a2a9 b71441b7

+6 -2
+6 -2
net/tipc/bearer.c
··· 163 163 164 164 /* return bearer name components, if necessary */ 165 165 if (name_parts) { 166 - strcpy(name_parts->media_name, media_name); 167 - strcpy(name_parts->if_name, if_name); 166 + if (strscpy(name_parts->media_name, media_name, 167 + TIPC_MAX_MEDIA_NAME) < 0) 168 + return 0; 169 + if (strscpy(name_parts->if_name, if_name, 170 + TIPC_MAX_IF_NAME) < 0) 171 + return 0; 168 172 } 169 173 return 1; 170 174 }