<div class="gmail_quote">On Tue, Apr 27, 2010 at 12:42 PM, Ben Pfaff <span dir="ltr"><<a href="mailto:blp@nicira.com">blp@nicira.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Tue, Apr 27, 2010 at 11:32:42AM -0700, Jesse Gross wrote:<br>
> On Tue, Apr 27, 2010 at 11:20 AM, Ben Pfaff <<a href="mailto:blp@nicira.com">blp@nicira.com</a>> wrote:<br>
><br>
> > On Tue, Apr 27, 2010 at 11:08:48AM -0700, Jesse Gross wrote:<br>
> > > There are some other places where we copy device names from userspace as<br>
> > > well. I don't think that any of them exhibit this bug with an<br>
> > unterminated<br>
> > > string but they will happily truncate names and go with it. I'm thinking<br>
> > of<br>
> > > various places in the vport library and things like querying ports.<br>
> ><br>
> > If you point out other problematic cases I'll gladly fix them.<br>
><br>
</div><div class="im">> I skimmed through and you're right, most of them make userspace truncate.<br>
> However, there is one additional use of strncpy_from_user() in vport_del(),<br>
> which has problems similar to the one in create_dp().<br>
<br>
</div>Thanks. Here's a patch. How does it look?<br>
<br>
>From 21291d67574ae857d028c40b2fcc1116b6be6dfa Mon Sep 17 00:00:00 2001<br>
From: Ben Pfaff <<a href="mailto:blp@nicira.com">blp@nicira.com</a>><br>
Date: Tue, 27 Apr 2010 12:41:11 -0700<br>
Subject: [PATCH] vport: Better handle too-long network device names in vport_del().<br>
<br>
The 'count' argument to strncpy_from_user() is supposed to include space<br>
for the null terminator, so add it in. Also, refuse names that have more<br>
than IFNAMSIZ-1 characters outright, instead of truncating them.<br></blockquote><div><br></div><div>Looks good, thanks. </div></div>