Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp5751382rwl; Thu, 29 Dec 2022 02:16:48 -0800 (PST) X-Google-Smtp-Source: AMrXdXvyMhe1cwzuJRPeSEVqP92PZ4Dx0Pvaj/uTuQaNahNVvBdDCDg9D5gVE871JFehFC5eeY90 X-Received: by 2002:a05:6402:f05:b0:45c:834b:f28c with SMTP id i5-20020a0564020f0500b0045c834bf28cmr25011325eda.9.1672309007912; Thu, 29 Dec 2022 02:16:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672309007; cv=none; d=google.com; s=arc-20160816; b=qQyI08K6L+eZIMyVdOT5NwcqsJcU/KszapLUpAcOiMGRNg61SZA+JRt2KY71AFi2n0 wsAXm0OZY6V51WmPjdo+OZGmb9y1bETab82+GGkcYEeXz1j9MCT+yfdIsLJ2wPdnSu3j By6pCwv/lTSiZQFeZZzl2BhUWui5SJQyTc+jBuBjp746zFrMN/9xXw4OHYmsix+B0EP7 vFv2AAuGgReUGbHBHlfYcppyxAUaPNlC3Wcc3znsAy4aZJx2r4PBDrjTATH5Rp8LC78b LnNWam9Kr/dyyoBVjXMatIZXgmhqhEeydv1gMq3NfaNnjM0AuBnXDnm/EGa8zcW52OAF +QmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=JlwudR1yq0j8l6dXe2FNX5uZ434yQGNV8t9LPJL/6tM=; b=MyJ/u87AuFNEkqtMJnUUHEwA+etWvCvEE7O6i3YVfskXW4HVkTfNauCqg9Pk71kgi2 HgUQ3UansTyZMulL/nL6DFUZPXORRiivH1nwXyNoP0hJpBnvJrShd+u2HNfHwSLeysHb GS/a8IN5mMQcl7D1urxLSqf8bo2CTN0joLwnGkuKW6L6K1THFW22HxRPJ524VWC4DoZt NNjveFx3/mh85MHGmFs8AKra8R7Mj8beTchYLIvdfqiG+busQb1eES5ZBiLlvIpHACtU aH3soHlR2H+1CvT2eC3TdjXYvdMbMixt2EDgDlml8XcDo1dl2TfuQ/FDr1T/o+d+N5yX 4YxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nUHwdBrB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cq12-20020a056402220c00b00478ab006e1dsi13705467edb.124.2022.12.29.02.16.33; Thu, 29 Dec 2022 02:16:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nUHwdBrB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230323AbiL2Jta (ORCPT + 63 others); Thu, 29 Dec 2022 04:49:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38108 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232081AbiL2JrC (ORCPT ); Thu, 29 Dec 2022 04:47:02 -0500 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0D79113B for ; Thu, 29 Dec 2022 01:45:16 -0800 (PST) Received: by mail-wm1-x331.google.com with SMTP id ay2-20020a05600c1e0200b003d22e3e796dso12862429wmb.0 for ; Thu, 29 Dec 2022 01:45:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=JlwudR1yq0j8l6dXe2FNX5uZ434yQGNV8t9LPJL/6tM=; b=nUHwdBrBS6LeYbs+YS3gdxxv7I3AORr8iVEX+sIMxjgK+nNK2hcm/m+/NZyGz55W4m /2WiPf7rALiIl1XNGy8oNlYm3TqHrEVPzEiTZ3vAbqnFGu8msb4hHSMsifMUHYyNlYEv yxE42J1SHiOffhA8G4tZzerRzzqj0unHksAtNmudLgbPN6z6KmoxOpU7iaqiNm2hUQKu cTy2fPBgJQCZfabMZt1p+wQ6DrToheWRi6o8OKVPf9/NHBFNusYwYRdyMSZvkOjCTo+D vAASc9hQuRqsAGS4kON3vXrPQ8HnrkOjkRy+aADHt6hRcORxzbzhyInPK3wrKpze5Z00 Gb7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JlwudR1yq0j8l6dXe2FNX5uZ434yQGNV8t9LPJL/6tM=; b=IDFLOjpIWzeYpZ1U5Ba0dgPjVD2/n/8etk7AelxyoGrv/WawjvcqoBE5J59pd7eq1T jePC6W/12fKg9s721JxDc6RZATq83JYBqqHR1tI7BzBaYpXlsw81wXOqfnruoy5HYXQt 1lupOLAd9+a6IX/7Z4i9YgBxLgQjR8GRs51iObLpqF3tYMXbvRYJXAnfzB37nSR16eYl lUDd3bbzB3kMW+01vjDNl2PYVkRqYRx5+jgnVOedYU+HRWfUxR/GpfwIBLPWhNL0ZQNm z6mPwzHmcScVtb90G/1sOherp0F/4DjIqPaDe52BA1+1RZ9/yE4VV3ROCaMzkCa5FuAI KCzw== X-Gm-Message-State: AFqh2kqH0g5KAlWwxB7AqXXBxDTp/TCkEWAyjA009hg4TCr/HWGVUJhx pe7O8pXyj8RdmnGpAXg5pAM= X-Received: by 2002:a1c:5442:0:b0:3cf:7385:677f with SMTP id p2-20020a1c5442000000b003cf7385677fmr19294169wmi.35.1672307114296; Thu, 29 Dec 2022 01:45:14 -0800 (PST) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id i2-20020a05600c354200b003d35acb0fd7sm31043399wmq.34.2022.12.29.01.45.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Dec 2022 01:45:13 -0800 (PST) Date: Thu, 29 Dec 2022 12:45:10 +0300 From: Dan Carpenter To: yang.yang29@zte.com.cn Cc: gustavoars@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, xu.panda@zte.com.cn Subject: Re: [PATCH linux-next] staging: ks7010: use strscpy() to instead of strncpy() Message-ID: References: <202212261903245548969@zte.com.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202212261903245548969@zte.com.cn> X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 26, 2022 at 07:03:24PM +0800, yang.yang29@zte.com.cn wrote: > From: Xu Panda > > The implementation of strscpy() is more robust and safer. > That's now the recommended way to copy NUL-terminated strings. > > Signed-off-by: Xu Panda > Signed-off-by: Yang Yang > --- > drivers/staging/ks7010/ks_wlan_net.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/drivers/staging/ks7010/ks_wlan_net.c b/drivers/staging/ks7010/ks_wlan_net.c > index 044c807ca022..e03c87f0bfe7 100644 > --- a/drivers/staging/ks7010/ks_wlan_net.c > +++ b/drivers/staging/ks7010/ks_wlan_net.c > @@ -382,8 +382,7 @@ static int ks_wlan_get_nick(struct net_device *dev, > return -EPERM; > > /* for SLEEP MODE */ > - strncpy(extra, priv->nick, 16); > - extra[16] = '\0'; > + strscpy(extra, priv->nick, 17); I think this code is a buffer overflow. This is an implementation of SIOCGIWNICKN. net/wireless/wext-core.c 169 [IW_IOCTL_IDX(SIOCGIWNICKN)] = { 170 .header_type = IW_HEADER_TYPE_POINT, 171 .token_size = 1, 172 .max_tokens = IW_ESSID_MAX_SIZE, 173 }, As you can see there is a .max_tokens but no .min_tokens. It is called from ioctl_standard_iw_point(). So if the user specifies something smaller than 17 it leads to a buffer overflow. Your patch is mechanically correct, but now that we have eyes on the code we should fix the security bug instead making checkpatch happy or whatever. regards, dan carpenter