Commit c6d4ec9b authored by Alexey Kodanev's avatar Alexey Kodanev Committed by Zhengchao Shao
Browse files

bna: adjust 'name' buf size of bna_tcb and bna_ccb structures 

stable inclusion
from stable-v5.10.224
commit 6ce46045f9b90d952602e2c0b8886cfadf860bf1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ5H
CVE: CVE-2024-43839

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6ce46045f9b90d952602e2c0b8886cfadf860bf1



---------------------------

[ Upstream commit c9741a03dc8e491e57b95fba0058ab46b7e506da ]

To have enough space to write all possible sprintf() args. Currently
'name' size is 16, but the first '%s' specifier may already need at
least 16 characters, since 'bnad->netdev->name' is used there.

For '%d' specifiers, assume that they require:
 * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8
 * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX
   is 16

And replace sprintf with snprintf.

Detected using the static analysis tool - Svace.

Fixes: 8b230ed8 ("bna: Brocade 10Gb Ethernet device driver")
Signed-off-by: default avatarAlexey Kodanev <aleksei.kodanev@bell-sw.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent 10361bdc

drivers/net/ethernet/brocade/bna/bna_types.h

+1 −1
Original line number Diff line number Diff line
@@ -410,7 +410,7 @@ struct bna_ib { 
/* Tx object */



/* Tx datapath control structure */

#define BNA_Q_NAME_SIZE		16

#define BNA_Q_NAME_SIZE		(IFNAMSIZ + 6)

struct bna_tcb {

	/* Fast path */

	void			**sw_qpt;

drivers/net/ethernet/brocade/bna/bnad.c

+6 −5
Original line number Diff line number Diff line
@@ -1535,7 +1535,8 @@ bnad_tx_msix_register(struct bnad *bnad, struct bnad_tx_info *tx_info, 


	for (i = 0; i < num_txqs; i++) {

		vector_num = tx_info->tcb[i]->intr_vector;

		sprintf(tx_info->tcb[i]->name, "%s TXQ %d", bnad->netdev->name,

		snprintf(tx_info->tcb[i]->name, BNA_Q_NAME_SIZE, "%s TXQ %d",

			 bnad->netdev->name,

			 tx_id + tx_info->tcb[i]->id);

		err = request_irq(bnad->msix_table[vector_num].vector,

				  (irq_handler_t)bnad_msix_tx, 0,
@@ -1586,8 +1587,8 @@ bnad_rx_msix_register(struct bnad *bnad, struct bnad_rx_info *rx_info, 


	for (i = 0; i < num_rxps; i++) {

		vector_num = rx_info->rx_ctrl[i].ccb->intr_vector;

		sprintf(rx_info->rx_ctrl[i].ccb->name, "%s CQ %d",

			bnad->netdev->name,

		snprintf(rx_info->rx_ctrl[i].ccb->name, BNA_Q_NAME_SIZE,

			 "%s CQ %d", bnad->netdev->name,

			 rx_id + rx_info->rx_ctrl[i].ccb->id);

		err = request_irq(bnad->msix_table[vector_num].vector,

				  (irq_handler_t)bnad_msix_rx, 0,