[linux-next:master 8113/9522] fs/cifs/smb1ops.c:272:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyze...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head:   86ed57fd8c93fdfaabb4f58e78455180fa7d8a84
commit: d3986619ac1ea40c4f4a988edd4d0c569ed5cd9c [8113/9522] cifs: move functions that depend on DES to smp1ops.c
:::::: branch date: 34 hours ago
:::::: commit date: 5 days ago
config: i386-randconfig-c001-20210820 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project d9c5613e856cf2addfbf892fc4c1ce9ef9feceaa)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=d3986619ac1ea40c4f4a988edd4d0c569ed5cd9c
        git remote add linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
        git fetch --no-tags linux-next master
        git checkout d3986619ac1ea40c4f4a988edd4d0c569ed5cd9c
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=i386 clang-analyzer

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>


clang-analyzer warnings: (new ones prefixed by >>)

>> fs/cifs/smb1ops.c:272:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
                   strcpy(bcc_ptr, tree);
                   ^~~~~~
>> fs/cifs/smb1ops.c:275:2: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
           strcpy(bcc_ptr, "?????");
           ^~~~~~


vim +272 fs/cifs/smb1ops.c

d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  177
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  178  /*
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  179   * Issue a TREE_CONNECT request.
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  180   */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  181  static int
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  182  CIFSTCon(const unsigned int xid, struct cifs_ses *ses,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  183  	 const char *tree, struct cifs_tcon *tcon,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  184  	 const struct nls_table *nls_codepage)
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  185  {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  186  	struct smb_hdr *smb_buffer;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  187  	struct smb_hdr *smb_buffer_response;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  188  	TCONX_REQ *pSMB;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  189  	TCONX_RSP *pSMBr;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  190  	unsigned char *bcc_ptr;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  191  	int rc = 0;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  192  	int length;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  193  	__u16 bytes_left, count;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  194
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  195  	if (ses == NULL)
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  196  		return -EIO;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  197
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  198  	smb_buffer = cifs_buf_get();
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  199  	if (smb_buffer == NULL)
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  200  		return -ENOMEM;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  201
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  202  	smb_buffer_response = smb_buffer;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  203
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  204  	header_assemble(smb_buffer, SMB_COM_TREE_CONNECT_ANDX,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  205  			NULL /*no tid */ , 4 /*wct */ );
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  206
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  207  	smb_buffer->Mid = get_next_mid(ses->server);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  208  	smb_buffer->Uid = ses->Suid;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  209  	pSMB = (TCONX_REQ *) smb_buffer;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  210  	pSMBr = (TCONX_RSP *) smb_buffer_response;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  211
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  212  	pSMB->AndXCommand = 0xFF;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  213  	pSMB->Flags = cpu_to_le16(TCON_EXTENDED_SECINFO);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  214  	bcc_ptr = &pSMB->Password[0];
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  215  	if (tcon->pipe || (ses->server->sec_mode & SECMODE_USER)) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  216  		pSMB->PasswordLength = cpu_to_le16(1);	/* minimum */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  217  		*bcc_ptr = 0; /* password is null byte */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  218  		bcc_ptr++;              /* skip password */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  219  		/* already aligned so no need to do it below */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  220  	} else {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  221  		pSMB->PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  222  		/* BB FIXME add code to fail this if NTLMv2 or Kerberos
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  223  		   specified as required (when that support is added to
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  224  		   the vfs in the future) as only NTLM or the much
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  225  		   weaker LANMAN (which we do not send by default) is accepted
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  226  		   by Samba (not sure whether other servers allow
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  227  		   NTLMv2 password here) */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  228  #ifdef CONFIG_CIFS_WEAK_PW_HASH
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  229  		if ((global_secflags & CIFSSEC_MAY_LANMAN) &&
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  230  		    (ses->sectype == LANMAN))
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  231  			calc_lanman_hash(tcon->password, ses->server->cryptkey,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  232  					 ses->server->sec_mode &
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  233  					    SECMODE_PW_ENCRYPT ? true : false,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  234  					 bcc_ptr);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  235  		else
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  236  #endif /* CIFS_WEAK_PW_HASH */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  237  		rc = SMBNTencrypt(tcon->password, ses->server->cryptkey,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  238  					bcc_ptr, nls_codepage);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  239  		if (rc) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  240  			cifs_dbg(FYI, "%s Can't generate NTLM rsp. Error: %d\n",
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  241  				 __func__, rc);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  242  			cifs_buf_release(smb_buffer);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  243  			return rc;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  244  		}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  245
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  246  		bcc_ptr += CIFS_AUTH_RESP_SIZE;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  247  		if (ses->capabilities & CAP_UNICODE) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  248  			/* must align unicode strings */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  249  			*bcc_ptr = 0; /* null byte password */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  250  			bcc_ptr++;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  251  		}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  252  	}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  253
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  254  	if (ses->server->sign)
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  255  		smb_buffer->Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  256
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  257  	if (ses->capabilities & CAP_STATUS32) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  258  		smb_buffer->Flags2 |= SMBFLG2_ERR_STATUS;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  259  	}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  260  	if (ses->capabilities & CAP_DFS) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  261  		smb_buffer->Flags2 |= SMBFLG2_DFS;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  262  	}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  263  	if (ses->capabilities & CAP_UNICODE) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  264  		smb_buffer->Flags2 |= SMBFLG2_UNICODE;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  265  		length =
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  266  		    cifs_strtoUTF16((__le16 *) bcc_ptr, tree,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  267  			6 /* max utf8 char length in bytes */ *
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  268  			(/* server len*/ + 256 /* share len */), nls_codepage);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  269  		bcc_ptr += 2 * length;	/* convert num 16 bit words to bytes */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  270  		bcc_ptr += 2;	/* skip trailing null */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  271  	} else {		/* ASCII */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17 @272  		strcpy(bcc_ptr, tree);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  273  		bcc_ptr += strlen(tree) + 1;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  274  	}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17 @275  	strcpy(bcc_ptr, "?????");
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  276  	bcc_ptr += strlen("?????");
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  277  	bcc_ptr += 1;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  278  	count = bcc_ptr - &pSMB->Password[0];
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  279  	be32_add_cpu(&pSMB->hdr.smb_buf_length, count);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  280  	pSMB->ByteCount = cpu_to_le16(count);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  281
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  282  	rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  283  			 0);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  284
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  285  	/* above now done in SendReceive */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  286  	if (rc == 0) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  287  		bool is_unicode;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  288
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  289  		tcon->tidStatus = CifsGood;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  290  		tcon->need_reconnect = false;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  291  		tcon->tid = smb_buffer_response->Tid;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  292  		bcc_ptr = pByteArea(smb_buffer_response);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  293  		bytes_left = get_bcc(smb_buffer_response);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  294  		length = strnlen(bcc_ptr, bytes_left - 2);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  295  		if (smb_buffer->Flags2 & SMBFLG2_UNICODE)
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  296  			is_unicode = true;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  297  		else
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  298  			is_unicode = false;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  299
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  300
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  301  		/* skip service field (NB: this field is always ASCII) */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  302  		if (length == 3) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  303  			if ((bcc_ptr[0] == 'I') && (bcc_ptr[1] == 'P') &&
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  304  			    (bcc_ptr[2] == 'C')) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  305  				cifs_dbg(FYI, "IPC connection\n");
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  306  				tcon->ipc = true;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  307  				tcon->pipe = true;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  308  			}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  309  		} else if (length == 2) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  310  			if ((bcc_ptr[0] == 'A') && (bcc_ptr[1] == ':')) {
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  311  				/* the most common case */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  312  				cifs_dbg(FYI, "disk share connection\n");
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  313  			}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  314  		}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  315  		bcc_ptr += length + 1;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  316  		bytes_left -= (length + 1);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  317  		strlcpy(tcon->treeName, tree, sizeof(tcon->treeName));
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  318
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  319  		/* mostly informational -- no need to fail on error here */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  320  		kfree(tcon->nativeFileSystem);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  321  		tcon->nativeFileSystem = cifs_strndup_from_utf16(bcc_ptr,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  322  						      bytes_left, is_unicode,
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  323  						      nls_codepage);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  324
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  325  		cifs_dbg(FYI, "nativeFileSystem=%s\n", tcon->nativeFileSystem);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  326
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  327  		if ((smb_buffer_response->WordCount == 3) ||
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  328  			 (smb_buffer_response->WordCount == 7))
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  329  			/* field is in same location */
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  330  			tcon->Flags = le16_to_cpu(pSMBr->OptionalSupport);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  331  		else
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  332  			tcon->Flags = 0;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  333  		cifs_dbg(FYI, "Tcon flags: 0x%x\n", tcon->Flags);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  334  	}
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  335
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  336  	cifs_buf_release(smb_buffer);
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  337  	return rc;
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  338  }
d3986619ac1ea4 Ronnie Sahlberg 2021-08-17  339

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux