tipc: guard against string buffer overrun

[ Upstream commit 6555a2a921 ] Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f ("[TIPC] Initial merge") Compile tested only. Reviewed-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-15 00:04:15 +08:00 · 2024-08-01 19:35:37 +01:00 · 2024-08-01 19:35:37 +01:00 · 54dae0e906
commit 54dae0e906
parent 1c9b877506
1 changed files with 6 additions and 2 deletions
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name,

 	/* return bearer name components, if necessary */
 	if (name_parts) {
-		strcpy(name_parts->media_name, media_name);
-		strcpy(name_parts->if_name, if_name);
+		if (strscpy(name_parts->media_name, media_name,
+			    TIPC_MAX_MEDIA_NAME) < 0)
+			return 0;
+		if (strscpy(name_parts->if_name, if_name,
+			    TIPC_MAX_IF_NAME) < 0)
+			return 0;
 	}
 	return 1;
 }