net/smc: use memcpy instead of snprintf to avoid out of bounds read

Using snprintf() to convert not null-terminated strings to null
terminated strings may cause out of bounds read in the source string.
Therefore use memcpy() and terminate the target string with a null
afterwards.

Fixes: a3db10efcc4c ("net/smc: Add support for obtaining SMCR device list")
Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 8d866b4ed8f61e8aa23e1bf17c76418c896a9614..0df85a12651e96e87c97031316cd94585456cc08 100644 (file)
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -258,7 +258,8 @@ int smc_nl_get_sys_info(struct sk_buff *skb, struct netlink_callback *cb)
                smc_ism_get_system_eid(smcd_dev, &seid);
        mutex_unlock(&smcd_dev_list.mutex);
        if (seid && smc_ism_is_v2_capable()) {
-               snprintf(smc_seid, sizeof(smc_seid), "%s", seid);
+               memcpy(smc_seid, seid, SMC_MAX_EID_LEN);
+               smc_seid[SMC_MAX_EID_LEN] = 0;
                if (nla_put_string(skb, SMC_NLA_SYS_SEID, smc_seid))
                        goto errattr;
        }
@@ -296,7 +297,8 @@ static int smc_nl_fill_lgr(struct smc_link_group *lgr,
                goto errattr;
        if (nla_put_u8(skb, SMC_NLA_LGR_R_VLAN_ID, lgr->vlan_id))
                goto errattr;
-       snprintf(smc_target, sizeof(smc_target), "%s", lgr->pnet_id);
+       memcpy(smc_target, lgr->pnet_id, SMC_MAX_PNETID_LEN);
+       smc_target[SMC_MAX_PNETID_LEN] = 0;
        if (nla_put_string(skb, SMC_NLA_LGR_R_PNETID, smc_target))
                goto errattr;
 
@@ -313,7 +315,7 @@ static int smc_nl_fill_lgr_link(struct smc_link_group *lgr,
                                struct sk_buff *skb,
                                struct netlink_callback *cb)
 {
-       char smc_ibname[IB_DEVICE_NAME_MAX + 1];
+       char smc_ibname[IB_DEVICE_NAME_MAX];
        u8 smc_gid_target[41];
        struct nlattr *attrs;
        u32 link_uid = 0;
@@ -462,7 +464,8 @@ static int smc_nl_fill_smcd_lgr(struct smc_link_group *lgr,
                goto errattr;
        if (nla_put_u32(skb, SMC_NLA_LGR_D_CHID, smc_ism_get_chid(lgr->smcd)))
                goto errattr;
-       snprintf(smc_pnet, sizeof(smc_pnet), "%s", lgr->smcd->pnetid);
+       memcpy(smc_pnet, lgr->smcd->pnetid, SMC_MAX_PNETID_LEN);
+       smc_pnet[SMC_MAX_PNETID_LEN] = 0;
        if (nla_put_string(skb, SMC_NLA_LGR_D_PNETID, smc_pnet))
                goto errattr;
 
@@ -475,10 +478,12 @@ static int smc_nl_fill_smcd_lgr(struct smc_link_group *lgr,
                goto errv2attr;
        if (nla_put_u8(skb, SMC_NLA_LGR_V2_OS, lgr->peer_os))
                goto errv2attr;
-       snprintf(smc_host, sizeof(smc_host), "%s", lgr->peer_hostname);
+       memcpy(smc_host, lgr->peer_hostname, SMC_MAX_HOSTNAME_LEN);
+       smc_host[SMC_MAX_HOSTNAME_LEN] = 0;
        if (nla_put_string(skb, SMC_NLA_LGR_V2_PEER_HOST, smc_host))
                goto errv2attr;
-       snprintf(smc_eid, sizeof(smc_eid), "%s", lgr->negotiated_eid);
+       memcpy(smc_eid, lgr->negotiated_eid, SMC_MAX_EID_LEN);
+       smc_eid[SMC_MAX_EID_LEN] = 0;
        if (nla_put_string(skb, SMC_NLA_LGR_V2_NEG_EID, smc_eid))
                goto errv2attr;
 

diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index ddd7fac98b1d6558a5968d5e4a50e899d5492674..7d7ba0320d5aefc539838c0bf13e365e181d43a7 100644 (file)
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -371,8 +371,8 @@ static int smc_nl_handle_dev_port(struct sk_buff *skb,
        if (nla_put_u8(skb, SMC_NLA_DEV_PORT_PNET_USR,
                       smcibdev->pnetid_by_user[port]))
                goto errattr;
-       snprintf(smc_pnet, sizeof(smc_pnet), "%s",
-                (char *)&smcibdev->pnetid[port]);
+       memcpy(smc_pnet, &smcibdev->pnetid[port], SMC_MAX_PNETID_LEN);
+       smc_pnet[SMC_MAX_PNETID_LEN] = 0;
        if (nla_put_string(skb, SMC_NLA_DEV_PORT_PNETID, smc_pnet))
                goto errattr;
        if (nla_put_u32(skb, SMC_NLA_DEV_PORT_NETDEV,
@@ -414,7 +414,7 @@ static int smc_nl_handle_smcr_dev(struct smc_ib_device *smcibdev,
                                  struct sk_buff *skb,
                                  struct netlink_callback *cb)
 {
-       char smc_ibname[IB_DEVICE_NAME_MAX + 1];
+       char smc_ibname[IB_DEVICE_NAME_MAX];
        struct smc_pci_dev smc_pci_dev;
        struct pci_dev *pci_dev;
        unsigned char is_crit;

diff --git a/net/smc/smc_ism.c b/net/smc/smc_ism.c
index 524ef64a191a5b31788c2750fbcb58876ee77874..9c6e95882553eb97374e3d080b581308bba91a89 100644 (file)
--- a/net/smc/smc_ism.c
+++ b/net/smc/smc_ism.c
@@ -250,7 +250,8 @@ static int smc_nl_handle_smcd_dev(struct smcd_dev *smcd,
                goto errattr;
        if (nla_put_u8(skb, SMC_NLA_DEV_PORT_PNET_USR, smcd->pnetid_by_user))
                goto errportattr;
-       snprintf(smc_pnet, sizeof(smc_pnet), "%s", smcd->pnetid);
+       memcpy(smc_pnet, smcd->pnetid, SMC_MAX_PNETID_LEN);
+       smc_pnet[SMC_MAX_PNETID_LEN] = 0;
        if (nla_put_string(skb, SMC_NLA_DEV_PORT_PNETID, smc_pnet))
                goto errportattr;