From a970a77ece187c605da6775fa19e19606f9f309b Mon Sep 17 00:00:00 2001 From: Ralf Baechle Date: Wed, 28 Jul 2021 16:58:51 +0200 Subject: ax25ipd: Fix warning and potential buffer overflow in bpqether.c. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adding an additional check convinces GCC 11 there won't be a buffer overflow. Reading the code it's pretty hard to convince myself overflow is impossible so just suck it up and throw a potentially pointless check into the spaghetti. gcc -DHAVE_CONFIG_H -I. -I.. -DAX25_SYSCONFDIR=\""/usr/local/etc/ax25"\" -DAX25_LOCALSTATEDIR=\""/usr/local/var/ax25"\" -g -O2 -Wall -MT bpqether.o -MD -MP -MF .deps/bpqether.Tpo -c -o bpqether.o bpqether.c In function ‘tun_alloc’, inlined from ‘open_ethertap’ at bpqether.c:196:8: bpqether.c:142:17: warning: ‘strncpy’ output may be truncated copying 15 bytes from a string of length 4095 [-Wstringop-truncation] 142 | strncpy(ifr.ifr_name, dev, IFNAMSIZ); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Ralf Baechle --- ax25ipd/bpqether.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'ax25ipd') diff --git a/ax25ipd/bpqether.c b/ax25ipd/bpqether.c index db02839..9c0e8e2 100644 --- a/ax25ipd/bpqether.c +++ b/ax25ipd/bpqether.c @@ -139,8 +139,19 @@ static int tun_alloc(char *dev) */ ifr.ifr_flags = IFF_TAP; if (*dev) { - strncpy(ifr.ifr_name, dev, IFNAMSIZ); - ifr.ifr_name[IFNAMSIZ-1] = 0; + /* + * This error check convinces GCC the following strncpy + * won't overflow its destination. + * Sadly the rest of the code is such spaghetty that I + * can't convince myself this is not possible either. + */ + if (strlen(dev) >= IFNAMSIZ) { + close(fd); + fprintf(stderr, "Network device name \"%s\" exceeds system limit %d / IFNAMSIZ.\n", dev, IFNAMSIZ); + + return -1; + } + strcpy(ifr.ifr_name, dev); } err = ioctl(fd, TUNSETIFF, (void *)&ifr); -- cgit v1.2.3