Re: [PATCH] crypto: hisilicon/hpre - Fix a erroneous check after snprintf()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2023/9/7 19:15, Dan Carpenter wrote:
> On Tue, Sep 05, 2023 at 07:27:47AM +0200, Marion & Christophe JAILLET wrote:
>>>
>>> The other snprintf in the same file also looks suspect.
>>
>> It looks correct to me.
>>
>> And HPRE_DBGFS_VAL_MAX_LEN being 20, it doesn't really matter. The string
>> can't be truncated with just a "%u\n".
>>
> 
> drivers/crypto/hisilicon/hpre/hpre_main.c
>    884          ret = snprintf(tbuf, HPRE_DBGFS_VAL_MAX_LEN, "%u\n", val);
>    885          return simple_read_from_buffer(buf, count, pos, tbuf, ret);
> 
> You can't pass the return value from snprintf() to simple_read_from_buffer().
> Otherwise the snprintf() checking turned a sprintf() write overflow into
> a read overflow, which is less bad but not ideal.  It needs to be
> scnprintf().
>

Here only one "%u" data is written to buf, the return value ret cannot exceed 10,
and the length of tbuf is 20.
How did the overflow you mentioned occur?

Thanks,
Longfang.
> regards,
> dan carpenter
> 
> 
> .
> 



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux