On Wed, Aug 09, 2023 at 01:38:55AM +0200, Florian Westphal wrote: > Justin Stitt <justinstitt@xxxxxxxxxx> wrote: > > Fixes several buffer overread bugs present in `ip_set_core.c` by using > > `strscpy` over `strncpy`. > > > > Link: https://github.com/KSPP/linux/issues/90 > > Cc: linux-hardening@xxxxxxxxxxxxxxx > > Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx> > > > > --- > > There exists several potential buffer overread bugs here. These bugs > > exist due to the fact that the destination and source strings may have > > the same length which is equal to the max length `IPSET_MAXNAMELEN`. > > There is no truncation. Inputs are checked via nla_policy: > > [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING, .len = IPSET_MAXNAMELEN - 1 }, Ah, perfect. Yeah, so if it needs to zero-padding, but it is always NUL-terminated, strscpy_pad() is the right replacement. Thanks! -- Kees Cook
