Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp2967437pxb; Mon, 18 Apr 2022 12:11:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyX7A6X0KNgo6nLxGRmuafcZBwE69qTZ7mSm435ZphgMtIP92nwcfWL/L7k7ol//sdHZVFu X-Received: by 2002:a17:902:ed89:b0:15a:d3e:ada6 with SMTP id e9-20020a170902ed8900b0015a0d3eada6mr106366plj.94.1650309107311; Mon, 18 Apr 2022 12:11:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650309107; cv=none; d=google.com; s=arc-20160816; b=Qddhr7Fm4OgbZzPa5tzGTehK1ObiwMbOQomYxWOXGe0NFm0FMyHc8EKX1zpnj9771M ApZ62j1VeIkmk4E2MC3wM54IAzOkkTnFHSRH5lNL06vrhcCR+L0qqg9Vg7xcZiin2R3p vYzyMHCM9WmfrZE+Kz3O6UfBYvEncQQ+MSOtreIcd6U6j8P28Yw7D3QzLoA0LPuFdSYf wqU0g2YygNt80WqN9Hdecmp0P2TBmXwybFmuf0NR/hfXeqqEeXcL0Y1fhPEfxAtwb7yO +FACZwV9NGDIB9W/7HQkKoGqGXCp3mXljQM7If1jlvKY0OonvfeW2iash+nXTsE6+42u 64zA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=V8XwVHbmXf7gYP2gtuXVib0kfpje2JtVHal/AyUky2I=; b=0pW+jFvpap1WVlpFLTZMtYMzyeKyKB6yg/VaGDdaAra/cb+c9IpoS+ped7/wxfgMHT Txv63m9jKdQVdtZzHQosqlWTmwxSRO0PlJArPF9AQtWmIDWDptNXSPKQh/oozKd/BB46 aYo3cDWc2uPPhzfjWVvyrhX+J3VKIPcJXqKWPx4YJCNZXFt47/pvsOHhkuNlymH4Am0J W2tGeOVCE4DqiR3NaPSCLsVTmAiqDaBVfSU3RqfX575uVCGHoRt4gxS/m5ydpFKGbbGj 7avDa0U/MNsfedGdtm9ip79V34MqPbvzUSsBKpDU9Q3ZggynMWMc6yEoJAm7oQmEhe0T QUOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oifCUZBI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e13-20020a17090ab38d00b001d2a7b7f612si141777pjr.8.2022.04.18.12.11.30; Mon, 18 Apr 2022 12:11:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oifCUZBI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238812AbiDRM0f (ORCPT + 99 others); Mon, 18 Apr 2022 08:26:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238655AbiDRMZg (ORCPT ); Mon, 18 Apr 2022 08:25:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4662520BEC; Mon, 18 Apr 2022 05:19:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8EE8A60F0A; Mon, 18 Apr 2022 12:19:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 990EFC385A1; Mon, 18 Apr 2022 12:19:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1650284375; bh=nPwFMTObJZF4cTLhVCXsSyXs7ixQvWyzMUK/7568deg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oifCUZBIJtIaBI0/OLYdQ6/lYfCg5X02ewUSR7DkSIABB2FidCnpljgFswg4+irh0 OmHLBCK6iXuIegShMPWZAWr0zIoM1l1kyQUtVw0r54PMr+UaVlEYuuv/jwtrD0Ld1d CGtIOFcrfkeOn2wF+JvKRhn9Qc+JhR0nmRou/How= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Karsten Graul , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.17 094/219] net/smc: use memcpy instead of snprintf to avoid out of bounds read Date: Mon, 18 Apr 2022 14:11:03 +0200 Message-Id: <20220418121209.336563326@linuxfoundation.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220418121203.462784814@linuxfoundation.org> References: <20220418121203.462784814@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Karsten Graul [ Upstream commit b1871fd48efc567650dbdc974e5a2342a03fe0d2 ] Using snprintf() to convert not null-terminated strings to null terminated strings may cause out of bounds read in the source string. Therefore use memcpy() and terminate the target string with a null afterwards. Fixes: fa0866625543 ("net/smc: add support for user defined EIDs") Fixes: 3c572145c24e ("net/smc: add generic netlink support for system EID") Signed-off-by: Karsten Graul Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/smc/smc_clc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index ce27399b38b1..f9f3f59c79de 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -191,7 +191,8 @@ static int smc_nl_ueid_dumpinfo(struct sk_buff *skb, u32 portid, u32 seq, flags, SMC_NETLINK_DUMP_UEID); if (!hdr) return -ENOMEM; - snprintf(ueid_str, sizeof(ueid_str), "%s", ueid); + memcpy(ueid_str, ueid, SMC_MAX_EID_LEN); + ueid_str[SMC_MAX_EID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_EID_TABLE_ENTRY, ueid_str)) { genlmsg_cancel(skb, hdr); return -EMSGSIZE; @@ -252,7 +253,8 @@ int smc_nl_dump_seid(struct sk_buff *skb, struct netlink_callback *cb) goto end; smc_ism_get_system_eid(&seid); - snprintf(seid_str, sizeof(seid_str), "%s", seid); + memcpy(seid_str, seid, SMC_MAX_EID_LEN); + seid_str[SMC_MAX_EID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_SEID_ENTRY, seid_str)) goto err; read_lock(&smc_clc_eid_table.lock); -- 2.35.1