diff options
| author |   Hangbin Liu <liuhangbin@gmail.com> | 2019-11-20 16:38:08 +0800 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2019-11-20 22:23:36 -0800 |
| commit | 9bb59a21f53e7231696257d5e6283a4fbacfb43f (patch) | |
| tree | 74a2d5c284838dca140388d71a7f226057aa9b36 /net/ipv4/sysctl_net_ipv4.c | |
| parent | ip_gre: Make none-tun-dst gre tunnel store tunnel info as metadat_dst in recv (diff) | |
| download | linux-dev-9bb59a21f53e7231696257d5e6283a4fbacfb43f.tar.xz linux-dev-9bb59a21f53e7231696257d5e6283a4fbacfb43f.zip | |
tcp: warn if offset reach the maxlen limit when using snprintf
snprintf returns the number of chars that would be written, not number
of chars that were actually written. As such, 'offs' may get larger than
'tbl.maxlen', causing the 'tbl.maxlen - offs' being < 0, and since the
parameter is size_t, it would overflow.
Since using scnprintf may hide the limit error, while the buffer is still
enough now, let's just add a WARN_ON_ONCE in case it reach the limit
in future.
v2: Use WARN_ON_ONCE as Jiri and Eric suggested.
Suggested-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
| -rw-r--r-- | net/ipv4/sysctl_net_ipv4.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 59ded25acd04..c9eaf924df63 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -340,6 +340,10 @@ static int proc_tcp_fastopen_key(struct ctl_table *table, int write, user_key[i * 4 + 1], user_key[i * 4 + 2], user_key[i * 4 + 3]); + + if (WARN_ON_ONCE(off >= tbl.maxlen - 1)) + break; + if (i + 1 < n_keys) off += snprintf(tbl.data + off, tbl.maxlen - off, ","); } |