Commit 40d03f04 authored Nov 01, 2024 by Simon Horman Committed by dinglongwei Nov 01, 2024

tipc: guard against string buffer overrun

stable inclusion
from stable-v6.6.55
commit 12d26aa7fd3cbdbc5149b6e516563478d575026e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA6
CVE: CVE-2024-49995

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=12d26aa7fd3cbdbc5149b6e516563478d575026e



--------------------------------

[ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ]

Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.

 .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
 .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)

This does seem to be the case so guard against this possibility by using
strscpy() and failing if truncation occurs.

Introduced by commit b97bf3fd ("[TIPC] Initial merge")

Compile tested only.

Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: dinglongwei <dinglongwei1@huawei.com>

parent 4cd9ac5b

net/tipc/bearer.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name,

		/* return bearer name components, if necessary */
		if (name_parts) {
		strcpy(name_parts->media_name, media_name);
		strcpy(name_parts->if_name, if_name);
		if (strscpy(name_parts->media_name, media_name,
		TIPC_MAX_MEDIA_NAME) < 0)
		return 0;
		if (strscpy(name_parts->if_name, if_name,
		TIPC_MAX_IF_NAME) < 0)
		return 0;
		}
		return 1;
		}