From: Xu Panda <[email protected]>
The implementation of strscpy() is more robust and safer.
That's now the recommended way to copy NUL-terminated strings.
Signed-off-by: Xu Panda <[email protected]>
Signed-off-by: Yang Yang <[email protected]>
---
drivers/staging/ks7010/ks_wlan_net.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/staging/ks7010/ks_wlan_net.c b/drivers/staging/ks7010/ks_wlan_net.c
index 044c807ca022..e03c87f0bfe7 100644
--- a/drivers/staging/ks7010/ks_wlan_net.c
+++ b/drivers/staging/ks7010/ks_wlan_net.c
@@ -382,8 +382,7 @@ static int ks_wlan_get_nick(struct net_device *dev,
return -EPERM;
/* for SLEEP MODE */
- strncpy(extra, priv->nick, 16);
- extra[16] = '\0';
+ strscpy(extra, priv->nick, 17);
dwrq->data.length = strlen(extra) + 1;
return 0;
--
2.15.2
On Thu, Dec 29, 2022 at 12:45:10PM +0300, Dan Carpenter wrote:
> On Mon, Dec 26, 2022 at 07:03:24PM +0800, [email protected] wrote:
> > From: Xu Panda <[email protected]>
> >
> > The implementation of strscpy() is more robust and safer.
> > That's now the recommended way to copy NUL-terminated strings.
> >
> > Signed-off-by: Xu Panda <[email protected]>
> > Signed-off-by: Yang Yang <[email protected]>
> > ---
> > drivers/staging/ks7010/ks_wlan_net.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/drivers/staging/ks7010/ks_wlan_net.c b/drivers/staging/ks7010/ks_wlan_net.c
> > index 044c807ca022..e03c87f0bfe7 100644
> > --- a/drivers/staging/ks7010/ks_wlan_net.c
> > +++ b/drivers/staging/ks7010/ks_wlan_net.c
> > @@ -382,8 +382,7 @@ static int ks_wlan_get_nick(struct net_device *dev,
> > return -EPERM;
> >
> > /* for SLEEP MODE */
> > - strncpy(extra, priv->nick, 16);
> > - extra[16] = '\0';
> > + strscpy(extra, priv->nick, 17);
>
> I think this code is a buffer overflow. This is an implementation of
> SIOCGIWNICKN.
Huh... Maybe I'm wrong. I looked at a couple other implementations of
SIOCGIWNICKN and they all seem to assume a 17 character buffer...
Let me look deeper. I guess for now assume I am wrong.
regards,
dan carpenter
On Thu, Dec 29, 2022 at 12:45:10PM +0300, Dan Carpenter wrote:
> On Mon, Dec 26, 2022 at 07:03:24PM +0800, [email protected] wrote:
> > From: Xu Panda <[email protected]>
> >
> > The implementation of strscpy() is more robust and safer.
> > That's now the recommended way to copy NUL-terminated strings.
> >
> > Signed-off-by: Xu Panda <[email protected]>
> > Signed-off-by: Yang Yang <[email protected]>
> > ---
> > drivers/staging/ks7010/ks_wlan_net.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/drivers/staging/ks7010/ks_wlan_net.c b/drivers/staging/ks7010/ks_wlan_net.c
> > index 044c807ca022..e03c87f0bfe7 100644
> > --- a/drivers/staging/ks7010/ks_wlan_net.c
> > +++ b/drivers/staging/ks7010/ks_wlan_net.c
> > @@ -382,8 +382,7 @@ static int ks_wlan_get_nick(struct net_device *dev,
> > return -EPERM;
> >
> > /* for SLEEP MODE */
> > - strncpy(extra, priv->nick, 16);
> > - extra[16] = '\0';
> > + strscpy(extra, priv->nick, 17);
>
> I think this code is a buffer overflow. This is an implementation of
> SIOCGIWNICKN.
>
> net/wireless/wext-core.c
> 169 [IW_IOCTL_IDX(SIOCGIWNICKN)] = {
> 170 .header_type = IW_HEADER_TYPE_POINT,
> 171 .token_size = 1,
> 172 .max_tokens = IW_ESSID_MAX_SIZE,
> 173 },
>
Yeah. I was wrong. The extra size here is .max_tokens * .token_size so
it's 32.
Sorry for the noise!
Reviewed-by: Dan Carpenter <[email protected]>
regards,
dan carpenter
On Mon, Dec 26, 2022 at 07:03:24PM +0800, [email protected] wrote:
> From: Xu Panda <[email protected]>
>
> The implementation of strscpy() is more robust and safer.
> That's now the recommended way to copy NUL-terminated strings.
>
> Signed-off-by: Xu Panda <[email protected]>
> Signed-off-by: Yang Yang <[email protected]>
> ---
> drivers/staging/ks7010/ks_wlan_net.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/staging/ks7010/ks_wlan_net.c b/drivers/staging/ks7010/ks_wlan_net.c
> index 044c807ca022..e03c87f0bfe7 100644
> --- a/drivers/staging/ks7010/ks_wlan_net.c
> +++ b/drivers/staging/ks7010/ks_wlan_net.c
> @@ -382,8 +382,7 @@ static int ks_wlan_get_nick(struct net_device *dev,
> return -EPERM;
>
> /* for SLEEP MODE */
> - strncpy(extra, priv->nick, 16);
> - extra[16] = '\0';
> + strscpy(extra, priv->nick, 17);
I think this code is a buffer overflow. This is an implementation of
SIOCGIWNICKN.
net/wireless/wext-core.c
169 [IW_IOCTL_IDX(SIOCGIWNICKN)] = {
170 .header_type = IW_HEADER_TYPE_POINT,
171 .token_size = 1,
172 .max_tokens = IW_ESSID_MAX_SIZE,
173 },
As you can see there is a .max_tokens but no .min_tokens. It is called
from ioctl_standard_iw_point(). So if the user specifies something
smaller than 17 it leads to a buffer overflow.
Your patch is mechanically correct, but now that we have eyes on the
code we should fix the security bug instead making checkpatch happy or
whatever.
regards,
dan carpenter
On Thu, Dec 29, 2022 at 12:54:28PM +0300, Dan Carpenter wrote:
> Reviewed-by: Dan Carpenter <[email protected]>
Heh. My fingers are on autopilot.
Reviewed-by: Dan Carpenter <[email protected]>
regards,
dan carpenter