[ovs-dev] [PATCH 3/3] datapath: Check device name length more carefully in create_dp().
jesse at nicira.com
Tue Apr 27 18:32:42 UTC 2010
On Tue, Apr 27, 2010 at 11:20 AM, Ben Pfaff <blp at nicira.com> wrote:
> On Tue, Apr 27, 2010 at 11:08:48AM -0700, Jesse Gross wrote:
> > There are some other places where we copy device names from userspace as
> > well. I don't think that any of them exhibit this bug with an
> > string but they will happily truncate names and go with it. I'm thinking
> > various places in the vport library and things like querying ports.
> If you point out other problematic cases I'll gladly fix them.
> A lot of port-related stuff goes through struct odp_port, which has an
> IFNAMSIZ-byte field for the name. So it wouldn't be the kernel doing
> the truncating in that case.
> I only see one use of strncpy_from_user() in datapath.c. That seems
> the most likely way to copy in a string other than through the
> odp_port struct.
I skimmed through and you're right, most of them make userspace truncate.
However, there is one additional use of strncpy_from_user() in vport_del(),
which has problems similar to the one in create_dp().
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dev