diff options
| author | Jon Maloy <jon.maloy@ericsson.com> | 2018-03-29 23:20:45 +0200 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-03-31 22:19:52 -0400 |
| commit | 7494cfa6d36d1556f17baa012dd93833620783db (patch) | |
| tree | c1905f23eaf0b2aeb7195a78ca378bcb94414251 /kernel/elfcore.c | |
| parent | 7a74d39cc2927302bc236397c1fdb1fe5be209ce (diff) | |
| download | talos-obmc-linux-7494cfa6d36d1556f17baa012dd93833620783db.tar.gz talos-obmc-linux-7494cfa6d36d1556f17baa012dd93833620783db.zip | |
tipc: avoid possible string overflow
gcc points out that the combined length of the fixed-length inputs to
l->name is larger than the destination buffer size:
net/tipc/link.c: In function 'tipc_link_create':
net/tipc/link.c:465:26: error: '%s' directive writing up to 32 bytes
into a region of size between 26 and 58 [-Werror=format-overflow=]
sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str);
net/tipc/link.c:465:2: note: 'sprintf' output 11 or more bytes
(assuming 75) into a destination of size 60
sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str);
A detailed analysis reveals that the theoretical maximum length of
a link name is:
max self_str + 1 + max if_name + 1 + max peer_str + 1 + max if_name =
16 + 1 + 15 + 1 + 16 + 1 + 15 = 65
Since we also need space for a trailing zero we now set MAX_LINK_NAME
to 68.
Just to be on the safe side we also replace the sprintf() call with
snprintf().
Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address
hash values")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel/elfcore.c')
0 files changed, 0 insertions, 0 deletions
