tcp: warn if offset reach the maxlen limit when using snprintf

snprintf returns the number of chars that would be written, not number
of chars that were actually written. As such, 'offs' may get larger than
'tbl.maxlen', causing the 'tbl.maxlen - offs' being < 0, and since the
parameter is size_t, it would overflow.

Since using scnprintf may hide the limit error, while the buffer is still
enough now, let's just add a WARN_ON_ONCE in case it reach the limit
in future.

v2: Use WARN_ON_ONCE as Jiri and Eric suggested.

Suggested-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 59ded25acd045d90573eb144381df4381ecba837..c9eaf924df63a10ee6047477e5e04dc82f6739a9 100644 (file)
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -340,6 +340,10 @@ static int proc_tcp_fastopen_key(struct ctl_table *table, int write,
                                user_key[i * 4 + 1],
                                user_key[i * 4 + 2],
                                user_key[i * 4 + 3]);
+
+               if (WARN_ON_ONCE(off >= tbl.maxlen - 1))
+                       break;
+
                if (i + 1 < n_keys)
                        off += snprintf(tbl.data + off, tbl.maxlen - off, ",");
        }

diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index c445a81d144ea4ed1c67ad80a96433df35f5f8de..3737ec096650271b49456de9906ccf26465c7b02 100644 (file)
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -256,6 +256,9 @@ void tcp_get_available_congestion_control(char *buf, size_t maxlen)
                offs += snprintf(buf + offs, maxlen - offs,
                                 "%s%s",
                                 offs == 0 ? "" : " ", ca->name);
+
+               if (WARN_ON_ONCE(offs >= maxlen))
+                       break;
        }
        rcu_read_unlock();
 }
@@ -285,6 +288,9 @@ void tcp_get_allowed_congestion_control(char *buf, size_t maxlen)
                offs += snprintf(buf + offs, maxlen - offs,
                                 "%s%s",
                                 offs == 0 ? "" : " ", ca->name);
+
+               if (WARN_ON_ONCE(offs >= maxlen))
+                       break;
        }
        rcu_read_unlock();
 }

diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c
index 4849edb62d52964c61ef2d0601c16baa662e196d..12ab5db2b71cb5781fd9517d944138e1cecbd5dc 100644 (file)
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -92,6 +92,9 @@ void tcp_get_available_ulp(char *buf, size_t maxlen)
                offs += snprintf(buf + offs, maxlen - offs,
                                 "%s%s",
                                 offs == 0 ? "" : " ", ulp_ops->name);
+
+               if (WARN_ON_ONCE(offs >= maxlen))
+                       break;
        }
        rcu_read_unlock();
 }