From patchwork Fri Mar  1 23:16:20 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Leon M. Busch-George" <leon@georgemail.de>
X-Patchwork-Id: 1906973
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=1mPTERkZ;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=georgemail.de header.i=@georgemail.de
 header.a=rsa-sha256 header.s=DKIM001 header.b=qsiHeG51;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=patchwork.ozlabs.org)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TmkZd60Vvz23q2
	for <incoming@patchwork.ozlabs.org>; Sat,  2 Mar 2024 10:19:52 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=NlAhR1BS1pHVpU1R5U6meyis0HAV5h36y3qchK7tN7Q=; b=1mPTERkZJMnkdw
	A79pl1CgFR7jTo2ST6YrqP8XpkNFEY99r0L5gpwND4no+r49GtuqAPQDs2QhCDX4rBuv7ukvmWq1F
	f6jGfgEjmn5/oX++7lDdqTjhTW0N3gW7iAiCT79X8CfOoGokKDKHMOJOKbACu/DndIJKf6wqKCXUo
	hJO2lbm262bdPIB6rW0CjxBek6TUAv19+sIxQ/3RphNngGEo1oIvfQOhuzlzLbQpBClPzLbhvpi+Z
	ST4kt4SMO6gZCdXhRVBvkzfA7mD3vuf0PNAVCBHvccE5vHqt6W+9FW0Uk/cqI7frY7CToWSu8zMuA
	/CUojlIOM1diNRBJOJwg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux))
	id 1rgC8P-00000002Ehy-44Ap;
	Fri, 01 Mar 2024 23:17:45 +0000
Received: from smtp5.goneo.de ([2001:1640:5::8:30] helo=smtp052.goneo.de)
	by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux))
	id 1rgC8M-00000002Eg1-2BPT
	for openwrt-devel@lists.openwrt.org;
	Fri, 01 Mar 2024 23:17:44 +0000
Received: from hub2.goneo.de (hub2.goneo.de [85.220.129.53])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp5.goneo.de (Postfix) with ESMTPS id 54E13240459;
	Sat,  2 Mar 2024 00:17:41 +0100 (CET)
Received: from hub2.goneo.de (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by hub2.goneo.de (Postfix) with ESMTPS id B57B0240462;
	Sat,  2 Mar 2024 00:17:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=georgemail.de;
	s=DKIM001; t=1709335059;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SvPbQE6jXICpnD9bebUSyFPdjFUkVnztZmBQkq2kwWY=;
	b=qsiHeG51/I5wylg2AuQ7Qry3NDsuP2MgXf7wjsPFbXYluhDQpSICdaMr9rls1eqE0Je5Za
	1AUWRkxuAUV2jKe9/ScXULJDI8beZOpM5BpAgw5zevZM7ZVwe9kD+Fq7x4mFBxOjQCIcX2
	GjIp89IsfJ/53eD8/3EnULJiD2vPH6JY4uNaoCIGB18qt2mIk82Epi1ysHVi/Ekkys+yE2
	Bg/Wgxb/eH7dnNOU2A2HcsbNXdoUT84WTTgcgm2N0RnCaMIsV9cCPtvy6Q2JiM8/MHmAeu
	Xm+GeguCgru9qtRty5fbp/gvAfMuy8+c9krgef3zuLVH1u60O504j+ToA7nTIQ==
Received: from couch-potassium.fritz.box (unknown
 [IPv6:2a02:8071:5250:1240:f4e6:f6d2:6d95:e0c4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by hub2.goneo.de (Postfix) with ESMTPSA id 80CE62400CA;
	Sat,  2 Mar 2024 00:17:39 +0100 (CET)
From: "Leon M. Busch-George" <leon@georgemail.de>
To: openwrt-devel@lists.openwrt.org
Cc: "Leon M. Busch-George" <leon@georgemail.eu>
Subject: [PATCH 1/3] respect limitedness of the phy name buffer
Date: Sat,  2 Mar 2024 00:16:20 +0100
Message-ID: <20240301231721.139669-2-leon@georgemail.de>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240301231721.139669-1-leon@georgemail.de>
References: <20240301231721.139669-1-leon@georgemail.de>
MIME-Version: 1.0
X-Rspamd-UID: 690053
X-Rspamd-UID: a6986a
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20240301_151742_757437_0AF09F6C 
X-CRM114-Status: GOOD (  12.70  )
X-Spam-Score: -0.9 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: "Leon M. Busch-George" <leon@georgemail.eu> This
 prevents
    potential buffer overflows while writing to the phy name buffer buffer.
 Additionally,
    truncated data is not returned so consumers don't work with unterminated
   data, preventing out-of-bou [...]
 Content analysis details:   (-0.9 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/, low
                             trust
                             [2001:1640:5:0:0:0:8:30 listed in]
                             [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's
                             domain
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

From: "Leon M. Busch-George" <leon@georgemail.eu>

This prevents potential buffer overflows while writing to the phy name buffer buffer.
Additionally, truncated data is not returned so consumers don't work with unterminated data, preventing out-of-bounds access.

Sadly, consumers like lookup_phy or phyname don't the size of their respective target buffers without changing the interface.

Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
---
 iwinfo_nl80211.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c
index 2200249..2ea5925 100644
--- a/iwinfo_nl80211.c
+++ b/iwinfo_nl80211.c
@@ -34,6 +34,7 @@
 #define min(x, y) ((x) < (y)) ? (x) : (y)
 
 #define BIT(x) (1ULL<<(x))
+#define PHY_NAME_BUFFER_SIZE (32)
 
 static struct nl80211_state *nls = NULL;
 
@@ -761,31 +762,36 @@ static int nl80211_phyname_cb(struct nl_msg *msg, void *arg)
 	char *buf = arg;
 	struct nlattr **attr = nl80211_parse(msg);
 
-	if (attr[NL80211_ATTR_WIPHY_NAME])
-		memcpy(buf, nla_data(attr[NL80211_ATTR_WIPHY_NAME]),
-		       nla_len(attr[NL80211_ATTR_WIPHY_NAME]));
-	else
+	if (!attr[NL80211_ATTR_WIPHY_NAME]) {
 		buf[0] = 0;
+		return NL_SKIP;
+	}
+
+	int len = nla_len(attr[NL80211_ATTR_WIPHY_NAME]);
+	if (len > PHY_NAME_BUFFER_SIZE)
+		len = PHY_NAME_BUFFER_SIZE;
+
+	memcpy(buf, nla_data(attr[NL80211_ATTR_WIPHY_NAME]), len);
 
 	return NL_SKIP;
 }
 
 static char * nl80211_ifname2phy(const char *ifname)
 {
-	static char phy[32] = { 0 };
+	static char phy[PHY_NAME_BUFFER_SIZE] = { 0 };
 
 	memset(phy, 0, sizeof(phy));
 
 	nl80211_request(ifname, NL80211_CMD_GET_WIPHY, 0,
 	                nl80211_phyname_cb, phy);
 
-	return phy[0] ? phy : NULL;
+	return (phy[0] && !phy[sizeof(phy) - 1]) ? phy : NULL;
 }
 
 static char * nl80211_phyidx2name(unsigned int idx)
 {
 	struct nl80211_msg_conveyor *cv;
-	static char phy[32] = { 0 };
+	static char phy[PHY_NAME_BUFFER_SIZE] = { 0 };
 
 	if (nl80211_init() < 0)
 		return NULL;
@@ -799,7 +805,7 @@ static char * nl80211_phyidx2name(unsigned int idx)
 	memset(phy, 0, sizeof(phy));
 	nl80211_send(cv, nl80211_phyname_cb, phy);
 
-	return phy[0] ? phy : NULL;
+	return (phy[0] && !phy[sizeof(phy) - 1]) ? phy : NULL;
 
 nla_put_failure:
 	return NULL;