caif: add a sanity check to the tty name

"tty->name" and "name" are a 64 character buffers. My static checker complains because we add the "cf" on the front so it look like we are copying a 66 character string into a 64 character buffer. Also if the name is larger than IFNAMSIZ (16) it triggers a BUG_ON() inside the call to alloc_netdev(). This is all under CAP_SYS_ADMIN so it's not a security fix, it just adds a little robustness. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

caif: add a sanity check to the tty name
"tty->name" and "name" are a 64 character buffers. My static checker complains because we add the "cf" on the front so it look like we are copying a 66 character string into a 64 character buffer. Also if the name is larger than IFNAMSIZ (16) it triggers a BUG_ON() inside the call to alloc_netdev(). This is all under CAP_SYS_ADMIN so it's not a security fix, it just adds a little robustness. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
cab6ce9e · Dan Carpenter · David S. Miller · 0b536be7 · cab6ce9e
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

drivers/net/caif/caif_serial.c drivers/net/caif/caif_serial.c +3 -1

未找到文件。
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -347,7 +347,9 @@ static int ldisc_open(struct tty_struct *tty)
 	/* release devices to avoid name collision */
 	ser_release(NULL);

-	sprintf(name, "cf%s", tty->name);
+	result = snprintf(name, sizeof(name), "cf%s", tty->name);
+	if (result >= IFNAMSIZ)
+		return -EINVAL;
 	dev = alloc_netdev(sizeof(*ser), name, caifdev_setup);
 	if (!dev)
 		return -ENOMEM;