Patch "tipc: guard against string buffer overrun" has been added to the 6.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 6 Oct 2024 11:24:43 -0400

This is a note to let you know that I've just added the patch titled

    tipc: guard against string buffer overrun

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tipc-guard-against-string-buffer-overrun.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1d04e383af2fa259bc3cfa1ae29b18b9a186144e
Author: Simon Horman <horms@xxxxxxxxxx>
Date:   Thu Aug 1 19:35:37 2024 +0100

    tipc: guard against string buffer overrun
    
    [ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ]
    
    Smatch reports that copying media_name and if_name to name_parts may
    overwrite the destination.
    
     .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
     .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
    
    This does seem to be the case so guard against this possibility by using
    strscpy() and failing if truncation occurs.
    
    Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")
    
    Compile tested only.
    
    Reviewed-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Simon Horman <horms@xxxxxxxxxx>
    Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 5a526ebafeb4b..3c9e25f6a1d22 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name,
 
 	/* return bearer name components, if necessary */
 	if (name_parts) {
-		strcpy(name_parts->media_name, media_name);
-		strcpy(name_parts->if_name, if_name);
+		if (strscpy(name_parts->media_name, media_name,
+			    TIPC_MAX_MEDIA_NAME) < 0)
+			return 0;
+		if (strscpy(name_parts->if_name, if_name,
+			    TIPC_MAX_IF_NAME) < 0)
+			return 0;
 	}
 	return 1;
 }







