PING: [PATCH] Don't overflow when writing a key
Jan-Benedict Glaw
jbglaw at lug-owl.de
Thu Oct 7 07:26:17 PDT 2021
On Thu, 2021-10-07 16:19:06 +0200, Richard Weinberger <richard at nod.at> wrote:
> Hmmm, fortify assumes that the buffer behind "to" is sizeof (union ubifs_key) just because
> the function does:
> union ubifs_key *t = to;
> ?
>
> Even though memset() operates on "to" and not "t"...
>
> > Maybe supply key_write() the complete target buffer length and
> > memset() it first, then place the properly formatted key into it?
>
> Well, that's the whole purpose of key_write(). It formats an in-memory key for
> the disk format.
> I fear this is just a matter of static analysis being not smart.
Guess so...
Maybe it'll get better. At least, that's been with a very modern GCC,
so I guess this'll come up again in one way or another. (Either as a
GCC bug, or by not simply having a key[] array were the data is
"magically" written to, but some union with that array and probably a
struct like struct ubifs_key (where, for practical purposes, it's
__le32 j32 already is the on-disk representation.)
So ... The code does _not_ overflow, that's good first of all. It's
just a bit confusing how the key bytes are written to the buffer. At
least I was easily distracted by the two different sizes.
Thanks,
Jan-Benedict
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-mtd/attachments/20211007/bc12c737/attachment.sig>
More information about the linux-mtd
mailing list