diff options
| author | Jonathan Dieter <jdieter@lesbg.com> | 2017-02-27 03:31:03 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-03-17 00:16:56 -0400 |
| commit | e5dfa3f902b9a642ae8c6997d57d7c41e384a90b (patch) | |
| tree | 7ffbc5d1292e713efc36c224e19099dc343214fb /tools/usb/usbip/libsrc | |
| parent | 2c93e790e8253552227bf9b46a8d49dca3f71b06 (diff) | |
usbip: Fix potential format overflow in userspace tools
The usbip userspace tools call sprintf()/snprintf() and don't check for
the return value which can lead the paths to overflow, truncating the
final file in the path.
More urgently, GCC 7 now warns that these aren't checked with
-Wformat-overflow, and with -Werror enabled in configure.ac, that makes
these tools unbuildable.
This patch fixes these problems by replacing sprintf() with snprintf() in
one place and adding checks for the return value of snprintf().
Reviewed-by: Peter Senna Tschudin <peter.senna@gmail.com>
Signed-off-by: Jonathan Dieter <jdieter@lesbg.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'tools/usb/usbip/libsrc')
| -rw-r--r-- | tools/usb/usbip/libsrc/usbip_common.c | 9 | ||||
| -rw-r--r-- | tools/usb/usbip/libsrc/usbip_host_common.c | 28 |
2 files changed, 31 insertions, 6 deletions
diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c index ac73710473de..1517a232ab18 100644 --- a/tools/usb/usbip/libsrc/usbip_common.c +++ b/tools/usb/usbip/libsrc/usbip_common.c | |||
| @@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i, | |||
| 215 | struct usbip_usb_interface *uinf) | 215 | struct usbip_usb_interface *uinf) |
| 216 | { | 216 | { |
| 217 | char busid[SYSFS_BUS_ID_SIZE]; | 217 | char busid[SYSFS_BUS_ID_SIZE]; |
| 218 | int size; | ||
| 218 | struct udev_device *sif; | 219 | struct udev_device *sif; |
| 219 | 220 | ||
| 220 | sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); | 221 | size = snprintf(busid, sizeof(busid), "%s:%d.%d", |
| 222 | udev->busid, udev->bConfigurationValue, i); | ||
| 223 | if (size < 0 || (unsigned int)size >= sizeof(busid)) { | ||
| 224 | err("busid length %i >= %lu or < 0", size, | ||
| 225 | (long unsigned)sizeof(busid)); | ||
| 226 | return -1; | ||
| 227 | } | ||
| 221 | 228 | ||
| 222 | sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); | 229 | sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); |
| 223 | if (!sif) { | 230 | if (!sif) { |
diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c index 9d415228883d..6ff7b601f854 100644 --- a/tools/usb/usbip/libsrc/usbip_host_common.c +++ b/tools/usb/usbip/libsrc/usbip_host_common.c | |||
| @@ -40,13 +40,20 @@ struct udev *udev_context; | |||
| 40 | static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) | 40 | static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) |
| 41 | { | 41 | { |
| 42 | char status_attr_path[SYSFS_PATH_MAX]; | 42 | char status_attr_path[SYSFS_PATH_MAX]; |
| 43 | int size; | ||
| 43 | int fd; | 44 | int fd; |
| 44 | int length; | 45 | int length; |
| 45 | char status; | 46 | char status; |
| 46 | int value = 0; | 47 | int value = 0; |
| 47 | 48 | ||
| 48 | snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", | 49 | size = snprintf(status_attr_path, sizeof(status_attr_path), |
| 49 | udev->path); | 50 | "%s/usbip_status", udev->path); |
| 51 | if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { | ||
| 52 | err("usbip_status path length %i >= %lu or < 0", size, | ||
| 53 | (long unsigned)sizeof(status_attr_path)); | ||
| 54 | return -1; | ||
| 55 | } | ||
| 56 | |||
| 50 | 57 | ||
| 51 | fd = open(status_attr_path, O_RDONLY); | 58 | fd = open(status_attr_path, O_RDONLY); |
| 52 | if (fd < 0) { | 59 | if (fd < 0) { |
| @@ -218,6 +225,7 @@ int usbip_export_device(struct usbip_exported_device *edev, int sockfd) | |||
| 218 | { | 225 | { |
| 219 | char attr_name[] = "usbip_sockfd"; | 226 | char attr_name[] = "usbip_sockfd"; |
| 220 | char sockfd_attr_path[SYSFS_PATH_MAX]; | 227 | char sockfd_attr_path[SYSFS_PATH_MAX]; |
| 228 | int size; | ||
| 221 | char sockfd_buff[30]; | 229 | char sockfd_buff[30]; |
| 222 | int ret; | 230 | int ret; |
| 223 | 231 | ||
| @@ -237,10 +245,20 @@ int usbip_export_device(struct usbip_exported_device *edev, int sockfd) | |||
| 237 | } | 245 | } |
| 238 | 246 | ||
| 239 | /* only the first interface is true */ | 247 | /* only the first interface is true */ |
| 240 | snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", | 248 | size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", |
| 241 | edev->udev.path, attr_name); | 249 | edev->udev.path, attr_name); |
| 250 | if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { | ||
| 251 | err("exported device path length %i >= %lu or < 0", size, | ||
| 252 | (long unsigned)sizeof(sockfd_attr_path)); | ||
| 253 | return -1; | ||
| 254 | } | ||
| 242 | 255 | ||
| 243 | snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); | 256 | size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); |
| 257 | if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { | ||
| 258 | err("socket length %i >= %lu or < 0", size, | ||
| 259 | (long unsigned)sizeof(sockfd_buff)); | ||
| 260 | return -1; | ||
| 261 | } | ||
| 244 | 262 | ||
| 245 | ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, | 263 | ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, |
| 246 | strlen(sockfd_buff)); | 264 | strlen(sockfd_buff)); |