wok-current diff linux/stuff/linux-usbip-fix-format-overflow-gcc8.patch @ rev 25629
Mass updates for current
author | Stanislas Leduc <shann@slitaz.org> |
---|---|
date | Wed Oct 11 18:45:46 2023 +0000 (9 months ago) |
parents | |
children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/linux/stuff/linux-usbip-fix-format-overflow-gcc8.patch Wed Oct 11 18:45:46 2023 +0000 1.3 @@ -0,0 +1,103 @@ 1.4 +Upstream commit e5dfa3f902b9 ("usbip: Fix potential format overflow in 1.5 +userspace tools") 1.6 + 1.7 + 1.8 +The usbip userspace tools call sprintf()/snprintf() and don't check for 1.9 +the return value which can lead the paths to overflow, truncating the 1.10 +final file in the path. 1.11 + 1.12 +More urgently, GCC 7 now warns that these aren't checked with 1.13 +-Wformat-overflow, and with -Werror enabled in configure.ac, that makes 1.14 +these tools unbuildable. 1.15 + 1.16 +This patch fixes these problems by replacing sprintf() with snprintf() in 1.17 +one place and adding checks for the return value of snprintf(). 1.18 + 1.19 +Reviewed-by: Peter Senna Tschudin <peter.se...@gmail.com> 1.20 +Signed-off-by: Jonathan Dieter <jdie...@lesbg.com> 1.21 +Acked-by: Shuah Khan <shua...@osg.samsung.com> 1.22 +Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> 1.23 +Signed-off-by: Shuah Khan <shua...@osg.samsung.com> 1.24 + 1.25 +diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c 1.26 +index ac73710..01dd4b2 100644 1.27 +--- a/drivers/staging/usbip/userspace/libsrc/usbip_common.c 1.28 ++++ b/drivers/staging/usbip/userspace/libsrc/usbip_common.c 1.29 +@@ -215,9 +215,16 @@ 1.30 + struct usbip_usb_interface *uinf) 1.31 + { 1.32 + char busid[SYSFS_BUS_ID_SIZE]; 1.33 ++ int size; 1.34 + struct udev_device *sif; 1.35 + 1.36 +- sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); 1.37 ++ size = snprintf(busid, sizeof(busid), "%s:%d.%d", 1.38 ++ udev->busid, udev->bConfigurationValue, i); 1.39 ++ if (size < 0 || (unsigned int)size >= sizeof(busid)) { 1.40 ++ err("busid length %i >= %lu or < 0", size, 1.41 ++ (unsigned long)sizeof(busid)); 1.42 ++ return -1; 1.43 ++ } 1.44 + 1.45 + sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); 1.46 + if (!sif) { 1.47 +diff --git a/drivers/staging/usbip/userspace/libsrc/usbip_host_driver.c 1.48 +b/drivers/staging/usbip/userspace/libsrc/usbip_host_driver.c 1.49 +index 9d415228883d..c10379439668 100644 1.50 +--- a/drivers/staging/usbip/userspace/libsrc/usbip_host_driver.c 1.51 ++++ b/drivers/staging/usbip/userspace/libsrc/usbip_host_driver.c 1.52 +@@ -39,13 +39,19 @@ 1.53 + static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) 1.54 + { 1.55 + char status_attr_path[SYSFS_PATH_MAX]; 1.56 ++ int size; 1.57 + int fd; 1.58 + int length; 1.59 + char status; 1.60 + int value = 0; 1.61 + 1.62 +- snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", 1.63 +- udev->path); 1.64 ++ size = snprintf(status_attr_path, sizeof(status_attr_path), 1.65 ++ "%s/usbip_status", udev->path); 1.66 ++ if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { 1.67 ++ err("usbip_status path length %i >= %lu or < 0", size, 1.68 ++ (unsigned long)sizeof(status_attr_path)); 1.69 ++ return -1; 1.70 ++ } 1.71 + 1.72 + if ((fd = open(status_attr_path, O_RDONLY)) < 0) { 1.73 + err("error opening attribute %s", status_attr_path); 1.74 +@@ -224,6 +230,7 @@ 1.75 + { 1.76 + char attr_name[] = "usbip_sockfd"; 1.77 + char sockfd_attr_path[SYSFS_PATH_MAX]; 1.78 ++ int size; 1.79 + char sockfd_buff[30]; 1.80 + int ret; 1.81 + 1.82 +@@ -244,10 +251,20 @@ 1.83 + } 1.84 + 1.85 + /* only the first interface is true */ 1.86 +- snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", 1.87 ++ size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", 1.88 + edev->udev.path, attr_name); 1.89 ++ if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { 1.90 ++ err("exported device path length %i >= %lu or < 0", size, 1.91 ++ (unsigned long)sizeof(sockfd_attr_path)); 1.92 ++ return -1; 1.93 ++ } 1.94 + 1.95 +- snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); 1.96 ++ size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); 1.97 ++ if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { 1.98 ++ err("socket length %i >= %lu or < 0", size, 1.99 ++ (unsigned long)sizeof(sockfd_buff)); 1.100 ++ return -1; 1.101 ++ } 1.102 + 1.103 + ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, 1.104 + strlen(sockfd_buff)); 1.105 +-- 1.106 +2.14.1