Re: [PATCH] NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2024-12-18 at 00:13 +0800, Gax-c wrote:
> From: Zichen Xie <zichenxie0106@xxxxxxxxx>
> 
> name is char[64] where the size of clnt->cl_program->name remains
> unknown. Invoking strcat() directly will also lead to potential
> buffer
> overflow. Change them to strscpy() and strncat() to fix potential
> issues.

What makes you think that clnt->cl_program->name is unknown?

All calls to nfs_sysfs_link_rpc_client() use well known RPC clients for
which the cl_program is pointing to one of nlm_program, nfs_program or
nfsacl_program. So we know very well the sizes of clnt->cl_program-
>name.

> 
> Fixes: e13b549319a6 ("NFS: Add sysfs links to sunrpc clients for
> nfs_clients")
> Signed-off-by: Zichen Xie <zichenxie0106@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---
>  fs/nfs/sysfs.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c
> index bf378ecd5d9f..7b59a40d40c0 100644
> --- a/fs/nfs/sysfs.c
> +++ b/fs/nfs/sysfs.c
> @@ -280,9 +280,9 @@ void nfs_sysfs_link_rpc_client(struct nfs_server
> *server,
>  	char name[RPC_CLIENT_NAME_SIZE];
>  	int ret;
>  
> -	strcpy(name, clnt->cl_program->name);
> -	strcat(name, uniq ? uniq : "");
> -	strcat(name, "_client");
> +	strscpy(name, clnt->cl_program->name, sizeof(name));
> +	strncat(name, uniq ? uniq : "", sizeof(name) - strlen(name)
> - 1);
> +	strncat(name, "_client", sizeof(name) - strlen(name) - 1);
>  
>  	ret = sysfs_create_link_nowarn(&server->kobj,
>  						&clnt->cl_sysfs-
> >kobject, name);

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@xxxxxxxxxxxxxxx






[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux