Commit 68023e07 authored by Hao Chen's avatar Hao Chen Committed by Jiantao Xiao
Browse files

net: hns3: fix strncpy() not using dest-buf length as length issue 

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7B8SA


CVE: NA

----------------------------------------------------------------------

Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length,
it may result in dest-buf overflow.

This patch add some values check to avoid this issue.

Fixes: 721091d1 ("net: hns3: refactor dump bd info of debugfs")
Signed-off-by: default avatarHao Chen <chenhao418@huawei.com>
parent 417e0f6b

drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c

+24 −7
Original line number Diff line number Diff line
@@ -445,19 +445,36 @@ static void hns3_dbg_fill_content(char *content, u16 len, 
				  const struct hns3_dbg_item *items,

				  const char **result, u16 size)

{

#define HNS3_DBG_LINE_END_LEN	2

	char *pos = content;

	u16 item_len;

	u16 i;



	if (!len) {

		return;

	} else if (len <= HNS3_DBG_LINE_END_LEN) {

		*pos++ = '\0';

		return;

	}



	memset(content, ' ', len);

	for (i = 0; i < size; i++) {

		if (result)

			strncpy(pos, result[i], strlen(result[i]));

		else

			strncpy(pos, items[i].name, strlen(items[i].name));

	len -= HNS3_DBG_LINE_END_LEN;



		pos += strlen(items[i].name) + items[i].interval;

	for (i = 0; i < size; i++) {

		item_len = strlen(items[i].name) + items[i].interval;

		if (len < item_len)

			break;



		if (result) {

			if (item_len < strlen(result[i]))

				break;

			memcpy(pos, result[i], strlen(result[i]));

		} else {

			memcpy(pos, items[i].name, strlen(items[i].name));

		}

		pos += item_len;

		len -= item_len;

	}



	*pos++ = '\n';

	*pos++ = '\0';

}

drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c

+24 −5
Original line number Diff line number Diff line
@@ -87,16 +87,35 @@ static void hclge_dbg_fill_content(char *content, u16 len, 
				   const struct hclge_dbg_item *items,

				   const char **result, u16 size)

{

#define HCLGE_DBG_LINE_END_LEN	2

	char *pos = content;

	u16 item_len;

	u16 i;



	if (!len) {

		return;

	} else if (len <= HCLGE_DBG_LINE_END_LEN) {

		*pos++ = '\0';

		return;

	}



	memset(content, ' ', len);

	len -= HCLGE_DBG_LINE_END_LEN;



	for (i = 0; i < size; i++) {

		if (result)

			strncpy(pos, result[i], strlen(result[i]));

		else

			strncpy(pos, items[i].name, strlen(items[i].name));

		pos += strlen(items[i].name) + items[i].interval;

		item_len = strlen(items[i].name) + items[i].interval;

		if (len < item_len)

			break;



		if (result) {

			if (item_len < strlen(result[i]))

				break;

			memcpy(pos, result[i], strlen(result[i]));

		} else {

			memcpy(pos, items[i].name, strlen(items[i].name));

		}

		pos += item_len;

		len -= item_len;

	}

	*pos++ = '\n';

	*pos++ = '\0';