mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-19 17:11:03 +00:00
4f94864d21
Replace 3 instances of strncpy in ql4_mbx.c
No bugs exist in the current implementation as some care was taken to
ensure the write length was decreased by one to leave some space for a
NUL-byte. However, instead of using strncpy(dest, src, LEN-1) we can opt
for strscpy(dest, src, sizeof(dest)) which will result in NUL-termination
as well. It should be noted that the entire chap_table is zero-allocated so
the NUL-padding provided by strncpy is not needed.
While here, I noticed that MIN_CHAP_SECRET_LEN was not used anywhere.
Since strscpy gives us the number of bytes copied into the destination
buffer (or an -E2BIG) we can check both for an error during copying and
also for a non-length compliant secret. Add a new jump label so we can
properly clean up our chap_table should we have to abort due to bad secret.
The third instance in this file involves some more peculiar handling of
strings:
| uint32_t mbox_cmd[MBOX_REG_COUNT];
| ...
| memset(&mbox_cmd, 0, sizeof(mbox_cmd));
| ...
| mbox_cmd[0] = MBOX_CMD_SET_PARAM;
| if (param == SET_DRVR_VERSION) {
| mbox_cmd[1] = SET_DRVR_VERSION;
| strncpy((char *)&mbox_cmd[2], QLA4XXX_DRIVER_VERSION,
| MAX_DRVR_VER_LEN - 1);
mbox_cmd has a size of 8:
| #define MBOX_REG_COUNT 8
... and its type width is 4 bytes. Hence, we have 32 bytes to work with
here. The first 4 bytes are used as a flag for the MBOX_CMD_SET_PARAM.
The next 4 bytes are used for SET_DRVR_VERSION. We now have 32-8=24
bytes remaining -- which thankfully is what MAX_DRVR_VER_LEN is equal to
| #define MAX_DRVR_VER_LEN 24
... and the thing we're copying into this pseudo-string buffer is
| #define QLA4XXX_DRIVER_VERSION "5.04.00-k6"
... which is great because its less than 24 bytes (therefore we aren't
truncating the source).
All to say, there's no bug in the existing implementation (yay!) but we
can clean the code up a bit by using strscpy().
In ql4_os.c, there aren't any strncpy() uses to replace but there are
some existing strscpy() calls that could be made more idiomatic. Where
possible, use strscpy(dest, src, sizeof(dest)). Note that
chap_rec->password has a size of ISCSI_CHAP_AUTH_SECRET_MAX_LEN
| #define ISCSI_CHAP_AUTH_SECRET_MAX_LEN 256
... while the current strscpy usage uses QL4_CHAP_MAX_SECRET_LEN
| #define QL4_CHAP_MAX_SECRET_LEN 100
... however since chap_table->secret was set and bounded properly in its
string assignment its probably safe here to switch over to sizeof().
| struct iscsi_chap_rec {
...
| char username[ISCSI_CHAP_AUTH_NAME_MAX_LEN];
| uint8_t password[ISCSI_CHAP_AUTH_SECRET_MAX_LEN];
...
| };
| strscpy(chap_rec->password, chap_table->secret,
| QL4_CHAP_MAX_SECRET_LEN);
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Link: https://lore.kernel.org/r/20240305-strncpy-drivers-scsi-mpi3mr-mpi3mr_fw-c-v3-4-5b78a13ff984@google.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| ql4_83xx.c | ||
| ql4_83xx.h | ||
| ql4_attr.c | ||
| ql4_bsg.c | ||
| ql4_bsg.h | ||
| ql4_dbg.c | ||
| ql4_dbg.h | ||
| ql4_def.h | ||
| ql4_fw.h | ||
| ql4_glbl.h | ||
| ql4_init.c | ||
| ql4_inline.h | ||
| ql4_iocb.c | ||
| ql4_isr.c | ||
| ql4_mbx.c | ||
| ql4_nvram.c | ||
| ql4_nvram.h | ||
| ql4_nx.c | ||
| ql4_nx.h | ||
| ql4_os.c | ||
| ql4_version.h | ||