[ovs-dev] [PATCH 3/3] datapath: Check device name length more carefully in create_dp().

Jesse Gross jesse at nicira.com
Tue Apr 27 18:32:42 UTC 2010

On Tue, Apr 27, 2010 at 11:20 AM, Ben Pfaff <blp at nicira.com> wrote:

> On Tue, Apr 27, 2010 at 11:08:48AM -0700, Jesse Gross wrote:
> > There are some other places where we copy device names from userspace as
> > well.  I don't think that any of them exhibit this bug with an
> unterminated
> > string but they will happily truncate names and go with it.  I'm thinking
> of
> > various places in the vport library and things like querying ports.
> If you point out other problematic cases I'll gladly fix them.
> A lot of port-related stuff goes through struct odp_port, which has an
> IFNAMSIZ-byte field for the name.  So it wouldn't be the kernel doing
> the truncating in that case.
> I only see one use of strncpy_from_user() in datapath.c.  That seems
> the most likely way to copy in a string other than through the
> odp_port struct.

I skimmed through and you're right, most of them make userspace truncate.
 However, there is one additional use of strncpy_from_user() in vport_del(),
which has problems similar to the one in create_dp().
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20100427/3e239fdd/attachment-0003.html>

More information about the dev mailing list