• Jon Maloy's avatar
    tipc: avoid possible string overflow · 7494cfa6
    Jon Maloy authored
    gcc points out that the combined length of the fixed-length inputs to
    l->name is larger than the destination buffer size:
    
    net/tipc/link.c: In function 'tipc_link_create':
    net/tipc/link.c:465:26: error: '%s' directive writing up to 32 bytes
    into a region of size between 26 and 58 [-Werror=format-overflow=]
    sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str);
    
    net/tipc/link.c:465:2: note: 'sprintf' output 11 or more bytes
    (assuming 75) into a destination of size 60
    sprintf(l->name, "%s:%s-%s:unknown", self_str, if_name, peer_str);
    
    A detailed analysis reveals that the theoretical maximum length of
    a link name is:
    max self_str + 1 + max if_name + 1 + max peer_str + 1 + max if_name =
    16 + 1 + 15 + 1 + 16 + 1 + 15 = 65
    Since we also need space for a trailing zero we now set MAX_LINK_NAME
    to 68.
    
    Just to be on the safe side we also replace the sprintf() call with
    snprintf().
    
    Fixes: 25b0b9c4 ("tipc: handle collisions of 32-bit node address
    hash values")
    Reported-by: default avatarArnd Bergmann <arnd@arndb.de>
    Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    7494cfa6
link.c 57.2 KB