Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3758519pxk;
        Tue, 29 Sep 2020 05:41:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwI6jpRstzMrOicRPpDKI2oPQhjisBdEH+NpOjElmwN+9kyq2kYumkuT2duaMatNx9WxDT9
X-Received: by 2002:a17:906:2354:: with SMTP id m20mr3540177eja.341.1601383273188;
        Tue, 29 Sep 2020 05:41:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1601383273; cv=none;
        d=google.com; s=arc-20160816;
        b=D+F1eiNUin8DVp9TtXqrDAN0/R+InOdb0VP3xYVCGHmgVNggUn/0+bpCNjfdQRcRer
         XSxKZOM68bBjhZWHs2tnvI8vZlHIzmOffH9ireSvM9/71o57wGCB/CL02b5HhhINgCkX
         NY7lFwvkzvh/Xeexy7v9JM5AE9Y8WSF2akBOSYToNouBoqW2IB7knwM2h7wJi1H2WjMy
         Qf3roL6In+PAY6iNX3Rger3rCBW/vZoB5Bt1ieULdPSsWOffWxaCPNHwGNsGo6oOhVdx
         YF9ttCJri1K4CjU88honDxZrqEnavNZ2Gu131McxpRgD9GKsjVEhGE32TUXrCSuePc/D
         LmCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Klc0pfn7SUFmyMC+4pnARMLO7OmlvfGn5UW0EgMBJ7g=;
        b=cnTVUQokievyCHW2VurYEt+/D2zko1CGg4OVOANBaQpZkI8OHsuJmqHHHVYSXxYTUw
         Q2QSCs4S7zjfSxLzqdiHDSVEtgfj1h2+XtDOrJFFXt+ts7kvO1w+Sz5rLuciQ516K1N1
         ThvRBuXfE3qO9a1a6s9y8us2TwV3w0Ue228jz9Gp8IJrLx5XNg2tdlwFCuC9nKMD0OUx
         cJu06W/xBFESY2+fQX0pqFUaxV/yYBOIDZUH+aJc+WFuSOqrgk/Dt9o7pU7EX53xPjTr
         PlkXjA3WazWFrFjpXhuWejLINpjYNedWzxlUcfvI4VAv+yWkf7qlEyynzzXoGb9pp6xG
         GkLw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=YRnL3Zjz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y17si2914544edt.218.2020.09.29.05.40.50;
        Tue, 29 Sep 2020 05:41:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=YRnL3Zjz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733232AbgI2Mhz (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Tue, 29 Sep 2020 08:37:55 -0400
Received: from mail.kernel.org ([198.145.29.99]:35550 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728535AbgI2LR5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 Sep 2020 07:17:57 -0400
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 41B33221E7;
        Tue, 29 Sep 2020 11:17:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1601378276;
        bh=AVpRSkgj0eO6IkQtoEcXFT1DLNyNXuMgutww47Zi4pk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=YRnL3ZjzjxMmmk6uByosXRdzk2Z/NyZeAwKJDbB1WFUljQ+Y05JEe0Xe+AIeeYu/2
         JgM3n2axsVunG3+1HHRPS+3JNHKGRDD8gDwh5bG74BnZoYDpuqNhNaSBC6J3WU2JCF
         2zBiV9kQVeCxWec73Wv2HwPru9CIpnlqsbQYUzk8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
        Chuck Lever <chuck.lever@oracle.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 093/166] SUNRPC: Fix a potential buffer overflow in svc_print_xprts()
Date:   Tue, 29 Sep 2020 13:00:05 +0200
Message-Id: <20200929105939.864115668@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200929105935.184737111@linuxfoundation.org>
References: <20200929105935.184737111@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit b25b60d7bfb02a74bc3c2d998e09aab159df8059 ]

'maxlen' is the total size of the destination buffer. There is only one
caller and this value is 256.

When we compute the size already used and what we would like to add in
the buffer, the trailling NULL character is not taken into account.
However, this trailling character will be added by the 'strcat' once we
have checked that we have enough place.

So, there is a off-by-one issue and 1 byte of the stack could be
erroneously overwridden.

Take into account the trailling NULL, when checking if there is enough
place in the destination buffer.

While at it, also replace a 'sprintf' by a safer 'snprintf', check for
output truncation and avoid a superfluous 'strlen'.

Fixes: dc9a16e49dbba ("svc: Add /proc/sys/sunrpc/transport files")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ cel: very minor fix to documenting comment
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sunrpc/svc_xprt.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index 7e5f849b44cdb..b293827b2a583 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -103,8 +103,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl)
 }
 EXPORT_SYMBOL_GPL(svc_unreg_xprt_class);
 
-/*
- * Format the transport list for printing
+/**
+ * svc_print_xprts - Format the transport list for printing
+ * @buf: target buffer for formatted address
+ * @maxlen: length of target buffer
+ *
+ * Fills in @buf with a string containing a list of transport names, each name
+ * terminated with '\n'. If the buffer is too small, some entries may be
+ * missing, but it is guaranteed that all lines in the output buffer are
+ * complete.
+ *
+ * Returns positive length of the filled-in string.
  */
 int svc_print_xprts(char *buf, int maxlen)
 {
@@ -117,9 +126,9 @@ int svc_print_xprts(char *buf, int maxlen)
 	list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) {
 		int slen;
 
-		sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload);
-		slen = strlen(tmpstr);
-		if (len + slen > maxlen)
+		slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n",
+				xcl->xcl_name, xcl->xcl_max_payload);
+		if (slen >= sizeof(tmpstr) || len + slen >= maxlen)
 			break;
 		len += slen;
 		strcat(buf, tmpstr);
-- 
2.25.1