On Thu, Nov 14, 2024 at 06:19:12PM +0900, Max Staudt wrote:
> Hi Dan,
>
> On 11/14/24 18:03, Dan Carpenter wrote:
> > This code is printing hex values to the &local_txbuf buffer and it's
> > using the snprintf() function to try prevent buffer overflows. The
> > problem is that it's not passing the correct limit to the snprintf()
> > function so the limit doesn't do anything. On each iteration we print
> > two digits so the remaining size should also decrease by two, but
> > instead it passes the sizeof() the entire buffer each time.
>
> D'oh, silly mistake. Thank you for finding it!
>
>
> IMHO the correct fix isn't further counting and checking within the snprintf
> loop. Instead, the buffer is correctly sized for a payload of up to 8 bytes,
> and what we should do is to initially establish that frame->len is indeed no
> larger than 8 bytes. So, something like
>
> if (frame->len > 8) {
> netdev_err(elm->dev, "The CAN stack handed us a frame with len > 8 bytes.
> Dropped packet.\n");
> }
>
> This check would go into can327_netdev_start_xmit(), and then a comment at
> your current patch's location to remind of this.
So far, so good. But it sounds like you've already written this patch in your
head. Can you just send this and give me Reported-by credit?
> Also, snprintf() can be
> simplified to sprintf(), since it is fully predictable in this case.
>
I don't love transitions from snprintf() to sprintf() but I won't complain.
>
> It's also possible that the CAN stack already checks frame->len, in which
> case I'd just add comments to can327. I haven't dug into the code now -
> maybe the maintainers know?
No idea. Can is quite difficult to parse from a static checker point of view
because of how it casts skb->data to a struct validates that everything is
correct and then passes it around as skb->data. #opaque. Smatch always treats
skb->data as untrusted, which is mostly a problem on the send path but with can
it's a problem throughout.
>
>
> I can whip something up next week.
Excelent, thanks.
regards,
dan carpenter
