tipc: guard against string buffer overrun

horms · kuba-moo · commit 6555a2a9212b · 2024-08-02T17:16:09.000-07:00
Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3f ("[TIPC] Initial merge") Compile tested only. Reviewed-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
@@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name,
 
 	/* return bearer name components, if necessary */
 	if (name_parts) {
-		strcpy(name_parts->media_name, media_name);
-		strcpy(name_parts->if_name, if_name);
+		if (strscpy(name_parts->media_name, media_name,
+			    TIPC_MAX_MEDIA_NAME) < 0)
+			return 0;
+		if (strscpy(name_parts->if_name, if_name,
+			    TIPC_MAX_IF_NAME) < 0)
+			return 0;
 	}
 	return 1;
 }

Original file line number	Diff line number	Diff line change
`@@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name,`
`163`	`163`
`164`	`164`	`/* return bearer name components, if necessary */`
`165`	`165`	`if (name_parts) {`
`166`		`- strcpy(name_parts->media_name, media_name);`
`167`		`- strcpy(name_parts->if_name, if_name);`
	`166`	`+ if (strscpy(name_parts->media_name, media_name,`
	`167`	`+ TIPC_MAX_MEDIA_NAME) < 0)`
	`168`	`+ return 0;`
	`169`	`+ if (strscpy(name_parts->if_name, if_name,`
	`170`	`+ TIPC_MAX_IF_NAME) < 0)`
	`171`	`+ return 0;`
`168`	`172`	`}`
`169`	`173`	`return 1;`
`170`	`174`	`}`