|
|
@ -1,7 +1,7 @@
|
|
|
|
From ad4d8dccc457e3b45b47fd5c5fdebfcf0171aa5e Mon Sep 17 00:00:00 2001
|
|
|
|
From cd2517f4b56e7147d013c7030e09d2c2e3562f2a Mon Sep 17 00:00:00 2001
|
|
|
|
From: Jonathan Dieter <jdieter@lesbg.com>
|
|
|
|
From: Jonathan Dieter <jdieter@lesbg.com>
|
|
|
|
Date: Wed, 22 Feb 2017 20:03:06 +0200
|
|
|
|
Date: Mon, 27 Feb 2017 10:04:29 +0200
|
|
|
|
Subject: [PATCH] usbip: Fix-format-overflow
|
|
|
|
Subject: [PATCH v4 1/2] usbip: Fix-format-overflow
|
|
|
|
|
|
|
|
|
|
|
|
The usbip userspace tools call sprintf()/snprintf() and don't check for
|
|
|
|
The usbip userspace tools call sprintf()/snprintf() and don't check for
|
|
|
|
the return value which can lead the paths to overflow, truncating the
|
|
|
|
the return value which can lead the paths to overflow, truncating the
|
|
|
@ -17,15 +17,16 @@ one place and adding checks for the return value of snprintf().
|
|
|
|
Reviewed-by: Peter Senna Tschudin <peter.senna@gmail.com>
|
|
|
|
Reviewed-by: Peter Senna Tschudin <peter.senna@gmail.com>
|
|
|
|
Signed-off-by: Jonathan Dieter <jdieter@lesbg.com>
|
|
|
|
Signed-off-by: Jonathan Dieter <jdieter@lesbg.com>
|
|
|
|
---
|
|
|
|
---
|
|
|
|
tools/usb/usbip/libsrc/usbip_common.c | 8 +++++++-
|
|
|
|
|
|
|
|
|
|
|
|
tools/usb/usbip/libsrc/usbip_common.c | 9 ++++++++-
|
|
|
|
tools/usb/usbip/libsrc/usbip_host_common.c | 28 +++++++++++++++++++++++-----
|
|
|
|
tools/usb/usbip/libsrc/usbip_host_common.c | 28 +++++++++++++++++++++++-----
|
|
|
|
2 files changed, 30 insertions(+), 6 deletions(-)
|
|
|
|
2 files changed, 31 insertions(+), 6 deletions(-)
|
|
|
|
|
|
|
|
|
|
|
|
diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c
|
|
|
|
diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c
|
|
|
|
index ac73710..66017d7 100644
|
|
|
|
index ac73710..1517a23 100644
|
|
|
|
--- a/tools/usb/usbip/libsrc/usbip_common.c
|
|
|
|
--- a/tools/usb/usbip/libsrc/usbip_common.c
|
|
|
|
+++ b/tools/usb/usbip/libsrc/usbip_common.c
|
|
|
|
+++ b/tools/usb/usbip/libsrc/usbip_common.c
|
|
|
|
@@ -215,9 +215,15 @@ int read_usb_interface(struct usbip_usb_device *udev, int i,
|
|
|
|
@@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i,
|
|
|
|
struct usbip_usb_interface *uinf)
|
|
|
|
struct usbip_usb_interface *uinf)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
char busid[SYSFS_BUS_ID_SIZE];
|
|
|
|
char busid[SYSFS_BUS_ID_SIZE];
|
|
|
@ -36,14 +37,15 @@ index ac73710..66017d7 100644
|
|
|
|
+ size = snprintf(busid, sizeof(busid), "%s:%d.%d",
|
|
|
|
+ size = snprintf(busid, sizeof(busid), "%s:%d.%d",
|
|
|
|
+ udev->busid, udev->bConfigurationValue, i);
|
|
|
|
+ udev->busid, udev->bConfigurationValue, i);
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(busid)) {
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(busid)) {
|
|
|
|
+ err("busid length %i >= %lu or < 0", size, sizeof(busid));
|
|
|
|
+ err("busid length %i >= %lu or < 0", size,
|
|
|
|
|
|
|
|
+ (long unsigned)sizeof(busid));
|
|
|
|
+ return -1;
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
|
|
sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid);
|
|
|
|
sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid);
|
|
|
|
if (!sif) {
|
|
|
|
if (!sif) {
|
|
|
|
diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c
|
|
|
|
diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c
|
|
|
|
index 9d41522..6fb91d9 100644
|
|
|
|
index 9d41522..6ff7b60 100644
|
|
|
|
--- a/tools/usb/usbip/libsrc/usbip_host_common.c
|
|
|
|
--- a/tools/usb/usbip/libsrc/usbip_host_common.c
|
|
|
|
+++ b/tools/usb/usbip/libsrc/usbip_host_common.c
|
|
|
|
+++ b/tools/usb/usbip/libsrc/usbip_host_common.c
|
|
|
|
@@ -40,13 +40,20 @@ struct udev *udev_context;
|
|
|
|
@@ -40,13 +40,20 @@ struct udev *udev_context;
|
|
|
@ -62,7 +64,7 @@ index 9d41522..6fb91d9 100644
|
|
|
|
+ "%s/usbip_status", udev->path);
|
|
|
|
+ "%s/usbip_status", udev->path);
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) {
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) {
|
|
|
|
+ err("usbip_status path length %i >= %lu or < 0", size,
|
|
|
|
+ err("usbip_status path length %i >= %lu or < 0", size,
|
|
|
|
+ sizeof(status_attr_path));
|
|
|
|
+ (long unsigned)sizeof(status_attr_path));
|
|
|
|
+ return -1;
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+
|
|
|
@ -87,7 +89,7 @@ index 9d41522..6fb91d9 100644
|
|
|
|
+ edev->udev.path, attr_name);
|
|
|
|
+ edev->udev.path, attr_name);
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) {
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) {
|
|
|
|
+ err("exported device path length %i >= %lu or < 0", size,
|
|
|
|
+ err("exported device path length %i >= %lu or < 0", size,
|
|
|
|
+ sizeof(sockfd_attr_path));
|
|
|
|
+ (long unsigned)sizeof(sockfd_attr_path));
|
|
|
|
+ return -1;
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
|
@ -95,7 +97,7 @@ index 9d41522..6fb91d9 100644
|
|
|
|
+ size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd);
|
|
|
|
+ size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd);
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) {
|
|
|
|
+ if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) {
|
|
|
|
+ err("socket length %i >= %lu or < 0", size,
|
|
|
|
+ err("socket length %i >= %lu or < 0", size,
|
|
|
|
+ sizeof(sockfd_buff));
|
|
|
|
+ (long unsigned)sizeof(sockfd_buff));
|
|
|
|
+ return -1;
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
|
|