[PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing

Sabrina Dubroca Tue, 09 Mar 2021 07:45:33 -0800

Security context names are not guaranteed to be NUL-terminated by the
kernel, so we can't just print them using %s directly. The length of
the string is determined by sctx->ctx_len, so we can use that to limit
what fprintf outputs.


While at it, factor that out to a separate function, since the exact
same code is used to print the security context for both policies and
states.

Fixes: b2bb289a57fe ("xfrm security context support")
Reported-by: Paul Wouters <pwout...@redhat.com>
Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
---
v2: drop the memcpy and use %.*s, suggested by Stephen Hemminger

 ip/ipxfrm.c | 43 +++++++++++++++++--------------------------
 1 file changed, 17 insertions(+), 26 deletions(-)

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index e4a72bd06778..8a794032cf12 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -916,6 +916,19 @@ static int xfrm_selector_iszero(struct xfrm_selector *s)
        return (memcmp(&s0, s, sizeof(s0)) == 0);
 }
 
+static void xfrm_sec_ctx_print(FILE *fp, struct rtattr *attr)
+{
+       struct xfrm_user_sec_ctx *sctx;
+
+       fprintf(fp, "\tsecurity context ");
+
+       if (RTA_PAYLOAD(attr) < sizeof(*sctx))
+               fprintf(fp, "(ERROR truncated)");
+
+       sctx = RTA_DATA(attr);
+       fprintf(fp, "%.*s %s", sctx->ctx_len, (char *)(sctx + 1), _SL_);
+}
+
 void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
                            struct rtattr *tb[], FILE *fp, const char *prefix,
                            const char *title, bool nokeys)
@@ -983,19 +996,8 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
                xfrm_stats_print(&xsinfo->stats, fp, buf);
        }
 
-       if (tb[XFRMA_SEC_CTX]) {
-               struct xfrm_user_sec_ctx *sctx;
-
-               fprintf(fp, "\tsecurity context ");
-
-               if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-                       fprintf(fp, "(ERROR truncated)");
-
-               sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-               fprintf(fp, "%s %s", (char *)(sctx + 1), _SL_);
-       }
-
+       if (tb[XFRMA_SEC_CTX])
+               xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 }
 
 void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
@@ -1006,19 +1008,8 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info 
*xpinfo,
 
        xfrm_selector_print(&xpinfo->sel, preferred_family, fp, title);
 
-       if (tb[XFRMA_SEC_CTX]) {
-               struct xfrm_user_sec_ctx *sctx;
-
-               fprintf(fp, "\tsecurity context ");
-
-               if (RTA_PAYLOAD(tb[XFRMA_SEC_CTX]) < sizeof(*sctx))
-                       fprintf(fp, "(ERROR truncated)");
-
-               sctx = RTA_DATA(tb[XFRMA_SEC_CTX]);
-
-               fprintf(fp, "%s ", (char *)(sctx + 1));
-               fprintf(fp, "%s", _SL_);
-       }
+       if (tb[XFRMA_SEC_CTX])
+               xfrm_sec_ctx_print(fp, tb[XFRMA_SEC_CTX]);
 
        if (prefix)
                strlcat(buf, prefix, sizeof(buf));
-- 
2.30.1

[PATCH iproute2 v2] ip: xfrm: limit the length of the security context name when printing

Reply via email to