[U-Boot] [PATCH 1/3] serial-uclass.c: Copy at most sdev.name - 1 characters into the buffer
Coverity notes that we do not ensure a NULL terminated string here as we could fill the entire buffer with our strncpy call. Fix this by subtracting one.
Reported-by: Coverity (CID 131093) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com --- drivers/serial/serial-uclass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/serial/serial-uclass.c b/drivers/serial/serial-uclass.c index 842f78b..2ef82b0 100644 --- a/drivers/serial/serial-uclass.c +++ b/drivers/serial/serial-uclass.c @@ -324,7 +324,7 @@ static int serial_post_probe(struct udevice *dev) return 0; memset(&sdev, '\0', sizeof(sdev));
- strncpy(sdev.name, dev->name, sizeof(sdev.name)); + strncpy(sdev.name, dev->name, sizeof(sdev.name) - 1); sdev.flags = DEV_FLAGS_OUTPUT | DEV_FLAGS_INPUT; sdev.priv = dev; sdev.putc = serial_stub_putc;
Coverity notes that we do not ensure when we copy ifname we still have space left to ensure NULL termination. As cannot control the size of ifr_name we must make sure that our argument will not overflow the buffer.
Reported-by: Coverity (CID 131094) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com --- arch/sandbox/cpu/eth-raw-os.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/arch/sandbox/cpu/eth-raw-os.c b/arch/sandbox/cpu/eth-raw-os.c index b76a731..528865f 100644 --- a/arch/sandbox/cpu/eth-raw-os.c +++ b/arch/sandbox/cpu/eth-raw-os.c @@ -76,6 +76,10 @@ static int _raw_packet_start(const char *ifname, unsigned char *ethmac, printf("Failed to set promiscuous mode: %d %s\n" "Falling back to the old "flags" way...\n", errno, strerror(errno)); + if (strlen(ifname) >= IFNAMSIZ) { + printf("Interface name %s is too long.\n", ifname); + return -EINVAL; + } strncpy(ifr.ifr_name, ifname, IFNAMSIZ); if (ioctl(priv->sd, SIOCGIFFLAGS, &ifr) < 0) { printf("Failed to read flags: %d %s\n", errno,
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure when we copy ifname we still have space left to ensure NULL termination. As cannot control the size of ifr_name we must make sure that our argument will not overflow the buffer.
Reported-by: Coverity (CID 131094) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
arch/sandbox/cpu/eth-raw-os.c | 4 ++++ 1 file changed, 4 insertions(+)
Reviewed-by: Simon Glass sjg@chromium.org
Applied to u-boot-dm/next.
Coverity notes that we do not ensure when we copy in the product/vendor strings that they have NULL termination. In this case the answer is to increase the buffer we have and then set the last entry to NULL.
Reported-by: Coverity (CID 131095) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com --- drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3]; - char vendor[8]; - char product[16]; + char vendor[9]; /* 8 + NUL-termination */ + char product[17]; /* 16 + NUL-termination */ char revision[4]; };
@@ -260,6 +260,8 @@ static int handle_ufi_command(struct sandbox_flash_plat *plat, strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product)); + resp->vendor[8] = 0; + resp->product[16] = 0; strncpy(resp->revision, "1.0", sizeof(resp->revision)); setup_response(priv, resp, sizeof(*resp)); break;
Hi Tom,
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure when we copy in the product/vendor strings that they have NULL termination. In this case the answer is to increase the buffer we have and then set the last entry to NULL.
Reported-by: Coverity (CID 131095) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3];
char vendor[8];char product[16];
char vendor[9]; /* 8 + NUL-termination */char product[17]; /* 16 + NUL-termination */ char revision[4];};
@@ -260,6 +260,8 @@ static int handle_ufi_command(struct sandbox_flash_plat *plat, strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product));
resp->vendor[8] = 0;resp->product[16] = 0; strncpy(resp->revision, "1.0", sizeof(resp->revision)); setup_response(priv, resp, sizeof(*resp)); break;-- 1.7.9.5
Does this work? It seems like it is changing the SCSI protocol spec, which we can't do.
Regards, Simon
On Tue, Dec 08, 2015 at 12:35:23PM -0700, Simon Glass wrote:
Hi Tom,
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure when we copy in the product/vendor strings that they have NULL termination. In this case the answer is to increase the buffer we have and then set the last entry to NULL.
Reported-by: Coverity (CID 131095) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3];
char vendor[8];char product[16];
char vendor[9]; /* 8 + NUL-termination */char product[17]; /* 16 + NUL-termination */ char revision[4];};
@@ -260,6 +260,8 @@ static int handle_ufi_command(struct sandbox_flash_plat *plat, strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product));
resp->vendor[8] = 0;resp->product[16] = 0; strncpy(resp->revision, "1.0", sizeof(resp->revision)); setup_response(priv, resp, sizeof(*resp)); break;-- 1.7.9.5
Does this work? It seems like it is changing the SCSI protocol spec, which we can't do.
Yes. We memset resp to NULL to start with so we know it will always be NULL terminated now. Elsewhere in our SCSI code is where I got the idea, common/usb_storage.c::usb_stor_get_info for example.
Hi Tom,
On Dec 8, 2015 4:28 PM, "Tom Rini" trini@konsulko.com wrote:
On Tue, Dec 08, 2015 at 12:35:23PM -0700, Simon Glass wrote:
Hi Tom,
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure when we copy in the
product/vendor
strings that they have NULL termination. In this case the answer is
to
increase the buffer we have and then set the last entry to NULL.
Reported-by: Coverity (CID 131095) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/emul/sandbox_flash.c
b/drivers/usb/emul/sandbox_flash.c
index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3];
char vendor[8];char product[16];
char vendor[9]; /* 8 + NUL-termination */char product[17]; /* 16 + NUL-termination */ char revision[4];};
@@ -260,6 +260,8 @@ static int handle_ufi_command(struct
sandbox_flash_plat *plat,
strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product));
resp->vendor[8] = 0;resp->product[16] = 0; strncpy(resp->revision, "1.0",
sizeof(resp->revision));
setup_response(priv, resp, sizeof(*resp)); break;-- 1.7.9.5
Does this work? It seems like it is changing the SCSI protocol spec, which we can't do.
Yes. We memset resp to NULL to start with so we know it will always be NULL terminated now. Elsewhere in our SCSI code is where I got the idea, common/usb_storage.c::usb_stor_get_info for example.
Yes but you are changing the struct.
Regards, Simon
On Tue, Dec 08, 2015 at 04:42:17PM -0700, Simon Glass wrote:
Hi Tom,
On Dec 8, 2015 4:28 PM, "Tom Rini" trini@konsulko.com wrote:
On Tue, Dec 08, 2015 at 12:35:23PM -0700, Simon Glass wrote:
Hi Tom,
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure when we copy in the
product/vendor
strings that they have NULL termination. In this case the answer is
to
increase the buffer we have and then set the last entry to NULL.
Reported-by: Coverity (CID 131095) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/emul/sandbox_flash.c
b/drivers/usb/emul/sandbox_flash.c
index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3];
char vendor[8];char product[16];
char vendor[9]; /* 8 + NUL-termination */char product[17]; /* 16 + NUL-termination */ char revision[4];};
@@ -260,6 +260,8 @@ static int handle_ufi_command(struct
sandbox_flash_plat *plat,
strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product));
resp->vendor[8] = 0;resp->product[16] = 0; strncpy(resp->revision, "1.0",sizeof(resp->revision));
setup_response(priv, resp, sizeof(*resp)); break;-- 1.7.9.5
Does this work? It seems like it is changing the SCSI protocol spec, which we can't do.
Yes. We memset resp to NULL to start with so we know it will always be NULL terminated now. Elsewhere in our SCSI code is where I got the idea, common/usb_storage.c::usb_stor_get_info for example.
Yes but you are changing the struct.
Yeah, true too. I'm having a bit of trouble tracing how all of this ties back into where in the rest of the stack. Can you figure out if this is safe or if we should NULL terminate [7]/etc or what? Thanks!
Hi Tom,
On 8 December 2015 at 16:58, Tom Rini trini@konsulko.com wrote:
On Tue, Dec 08, 2015 at 04:42:17PM -0700, Simon Glass wrote:
Hi Tom,
On Dec 8, 2015 4:28 PM, "Tom Rini" trini@konsulko.com wrote:
On Tue, Dec 08, 2015 at 12:35:23PM -0700, Simon Glass wrote:
Hi Tom,
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure when we copy in the
product/vendor
strings that they have NULL termination. In this case the answer is
to
increase the buffer we have and then set the last entry to NULL.
Reported-by: Coverity (CID 131095) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/emul/sandbox_flash.c
b/drivers/usb/emul/sandbox_flash.c
index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3];
char vendor[8];char product[16];
char vendor[9]; /* 8 + NUL-termination */char product[17]; /* 16 + NUL-termination */ char revision[4];};
@@ -260,6 +260,8 @@ static int handle_ufi_command(struct
sandbox_flash_plat *plat,
strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product));
resp->vendor[8] = 0;resp->product[16] = 0; strncpy(resp->revision, "1.0",sizeof(resp->revision));
setup_response(priv, resp, sizeof(*resp)); break;-- 1.7.9.5
Does this work? It seems like it is changing the SCSI protocol spec, which we can't do.
Yes. We memset resp to NULL to start with so we know it will always be NULL terminated now. Elsewhere in our SCSI code is where I got the idea, common/usb_storage.c::usb_stor_get_info for example.
Yes but you are changing the struct.
Yeah, true too. I'm having a bit of trouble tracing how all of this ties back into where in the rest of the stack. Can you figure out if this is safe or if we should NULL terminate [7]/etc or what? Thanks!
See usb_inquiry() which issues the request and usb_stor_get_info() which processes the response.. Sandbox needs to send the response back in the expected format or it will not work. You can run the driver model usb tests to check. However at present there are three separate test breakages in driver model...
Regards, Simon
On Wed, Dec 09, 2015 at 04:58:12PM -0700, Simon Glass wrote:
Hi Tom,
On 8 December 2015 at 16:58, Tom Rini trini@konsulko.com wrote:
On Tue, Dec 08, 2015 at 04:42:17PM -0700, Simon Glass wrote:
Hi Tom,
On Dec 8, 2015 4:28 PM, "Tom Rini" trini@konsulko.com wrote:
On Tue, Dec 08, 2015 at 12:35:23PM -0700, Simon Glass wrote:
Hi Tom,
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure when we copy in the
product/vendor
strings that they have NULL termination. In this case the answer is
to
increase the buffer we have and then set the last entry to NULL.
Reported-by: Coverity (CID 131095) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/emul/sandbox_flash.c
b/drivers/usb/emul/sandbox_flash.c
index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3];
char vendor[8];char product[16];
char vendor[9]; /* 8 + NUL-termination */char product[17]; /* 16 + NUL-termination */ char revision[4];};
@@ -260,6 +260,8 @@ static int handle_ufi_command(struct
sandbox_flash_plat *plat,
strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product));
resp->vendor[8] = 0;resp->product[16] = 0; strncpy(resp->revision, "1.0",sizeof(resp->revision));
setup_response(priv, resp, sizeof(*resp)); break;-- 1.7.9.5
Does this work? It seems like it is changing the SCSI protocol spec, which we can't do.
Yes. We memset resp to NULL to start with so we know it will always be NULL terminated now. Elsewhere in our SCSI code is where I got the idea, common/usb_storage.c::usb_stor_get_info for example.
Yes but you are changing the struct.
Yeah, true too. I'm having a bit of trouble tracing how all of this ties back into where in the rest of the stack. Can you figure out if this is safe or if we should NULL terminate [7]/etc or what? Thanks!
See usb_inquiry() which issues the request and usb_stor_get_info() which processes the response.. Sandbox needs to send the response back in the expected format or it will not work. You can run the driver model usb tests to check. However at present there are three separate test breakages in driver model...
Well blarg. I really do need to get into the habit of running the tests every time I also do a big build cycle, along with doing gcc 5..
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure a NULL terminated string here as we could fill the entire buffer with our strncpy call. Fix this by subtracting one.
Reported-by: Coverity (CID 131093) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/serial/serial-uclass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
diff --git a/drivers/serial/serial-uclass.c b/drivers/serial/serial-uclass.c index 842f78b..2ef82b0 100644 --- a/drivers/serial/serial-uclass.c +++ b/drivers/serial/serial-uclass.c @@ -324,7 +324,7 @@ static int serial_post_probe(struct udevice *dev) return 0; memset(&sdev, '\0', sizeof(sdev));
strncpy(sdev.name, dev->name, sizeof(sdev.name));
strncpy(sdev.name, dev->name, sizeof(sdev.name) - 1);
There is also strlcpy() if you want it.
sdev.flags = DEV_FLAGS_OUTPUT | DEV_FLAGS_INPUT; sdev.priv = dev; sdev.putc = serial_stub_putc;-- 1.7.9.5
On Tue, Dec 08, 2015 at 12:35:18PM -0700, Simon Glass wrote:
On 7 December 2015 at 20:26, Tom Rini trini@konsulko.com wrote:
Coverity notes that we do not ensure a NULL terminated string here as we could fill the entire buffer with our strncpy call. Fix this by subtracting one.
Reported-by: Coverity (CID 131093) Cc: Simon Glass sjg@chromium.org Signed-off-by: Tom Rini trini@konsulko.com
drivers/serial/serial-uclass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
diff --git a/drivers/serial/serial-uclass.c b/drivers/serial/serial-uclass.c index 842f78b..2ef82b0 100644 --- a/drivers/serial/serial-uclass.c +++ b/drivers/serial/serial-uclass.c @@ -324,7 +324,7 @@ static int serial_post_probe(struct udevice *dev) return 0; memset(&sdev, '\0', sizeof(sdev));
strncpy(sdev.name, dev->name, sizeof(sdev.name));
strncpy(sdev.name, dev->name, sizeof(sdev.name) - 1);There is also strlcpy() if you want it.
Ah good. Yeah, I think I should v2 this patch and use strlcpy as there's going to be many more of these I bet to come.
participants (2)
-
Simon Glass -
Tom Rini