ath5k: snprintf() returns largish values
in [Kernel]
|
Prev: i915 drm BUG: unable to handle kernel paging request at a5e89046
Next: [PATCH] acpi: fix apei related table size checking
From: Joe Perches on 23 Jul 2010 13:50 On Fri, 2010-07-23 at 12:04 +0200, Dan Carpenter wrote: > This is a smatch thing. I suppose someday I will fix smatch to > evaulate the strings themselves and verify that the buffer is large > enough. But for now it's nice to be able to automatically check that > the buffers don't overflow. There are also many repeated uses of snprintf in kernel sources that could similarly be a problem. bar += snprintf(foo + bar, ...) bar += snprintf(foo + bar, ...) or foo += snprintf(foo, ...) foo += snprintf(foo, ...) For instance: $ grep -P -n -A 4 -m 3 "\+=\s*snprintf" drivers/net/wireless/ath/ath5k/debug.c 210: len += snprintf(buf+len, sizeof(buf)-len, 211- "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n", 212- "AR5K_BEACON", v, v & AR5K_BEACON_PERIOD, 213- (v & AR5K_BEACON_TIM) >> AR5K_BEACON_TIM_S); 214- 215: len += snprintf(buf+len, sizeof(buf)-len, "%-24s0x%08x\n", 216- "AR5K_LAST_TSTP", ath5k_hw_reg_read(sc->ah, AR5K_LAST_TSTP)); 217- 218: len += snprintf(buf+len, sizeof(buf)-len, "%-24s0x%08x\n\n", 219- "AR5K_BEACON_CNT", ath5k_hw_reg_read(sc->ah, AR5K_BEACON_CNT)); 220- A conversion from snprintf to scnprintf might be appropriate for those patterns. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Linus Torvalds on 23 Jul 2010 15:30
On Fri, Jul 23, 2010 at 10:48 AM, Joe Perches <joe(a)perches.com> wrote: > > There are also many repeated uses of snprintf in kernel sources > that could similarly be a problem. > > � � � �bar += snprintf(foo + bar, ...) > � � � �bar += snprintf(foo + bar, ...) > or > � � � �foo += snprintf(foo, ...) > � � � �foo += snprintf(foo, ...) As long as the number of bytes is updated correctly, this won't be a security problem, although it can cause a (single) warning. The kernel vsnprintf does if (WARN_ON_ONCE((int) size < 0)) return 0; so if somebody overflows a buffer with multiple snprintf calls, it will all be ok as long as the buffer size thing is updated the natural way (possibly using pointer arithmetic, eg "end - bar"). Linus -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |