Merge 0cfff2e5da into 99ab67143a

bcmserver: fix buffer overflow

.github/workflows/compile.yml

@@ -75,7 +75,6 @@ jobs:
                 gcc \
                 gcc-aarch64-linux-gnu \
                 gcc-arm-linux-gnueabihf \
-                gcc-mips-linux-gnu \
                 libgps-dev \
                 make
 
@@ -139,13 +138,6 @@ jobs:
         podman exec -i stable cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_TOOLCHAIN_FILE=cmake/${toolchain}.cmake -DENABLE_WERROR=ON -DENABLE_GPS=${gps} -B build-${toolchain}
         podman exec -i stable cmake --build build-${toolchain}
 
-    - name: Configure & Build with mips-linux-gnu-gcc
-      env:
-        toolchain: mips-linux-gnu-gcc
-      run: |
-        podman exec -i stable cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_TOOLCHAIN_FILE=cmake/${toolchain}.cmake -DENABLE_WERROR=ON -B build-${toolchain}
-        podman exec -i stable cmake --build build-${toolchain}
-
     - name: Configure & Build with gcc (Makefile)
       env:
         cc: gcc

bcmserver.c

@@ -153,7 +153,7 @@ int main(void)
 
 	char buf[MAXLEN];
 	char format[FORMATSZ];
-	char rxmsg[50];
+	char rxmsg[64];
 
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wpragmas"
@@ -234,7 +234,7 @@ int main(void)
 	}
 
 	while (1) {
-
+again:
 		FD_ZERO(&readfds);
 		FD_SET(sc, &readfds);
 		FD_SET(sa, &readfds);
@@ -242,6 +242,8 @@ int main(void)
 		select((sc > sa)?sc+1:sa+1, &readfds, NULL, NULL, NULL);
 
 		if (FD_ISSET(sc, &readfds)) {
+			size_t size = sizeof(rxmsg);
+			int len = 0, res;
 
 			recvfrom(sc, &msg, sizeof(msg), 0,
 				 (struct sockaddr*)&caddr, &caddrlen);
@@ -249,17 +251,35 @@ int main(void)
 			ifr.ifr_ifindex = caddr.can_ifindex;
 			ioctl(sc, SIOCGIFNAME, &ifr);
 
-			sprintf(rxmsg, "< %s %03X %d ", ifr.ifr_name,
+			res = snprintf(rxmsg, size, "< %s %03X %d ", ifr.ifr_name,
 				       msg.msg_head.can_id, msg.frame.can_dlc);
+			if (res < 0 || (size_t)res >= size) {
+				printf("Error: rxmsg buffer (size %zu) too small for data.\n", size);
+				continue;
+			}
 
-			for ( i = 0; i < msg.frame.can_dlc; i++)
-				sprintf(rxmsg + strlen(rxmsg), "%02X ",
-					msg.frame.data[i]);
+			len += res;
+
+			for (i = 0; i < msg.frame.can_dlc; i++) {
+				res = snprintf(rxmsg + len, size - len, "%02X ", msg.frame.data[i]);
+				if (res < 0 || (size_t)res >= (size - len)) {
+					printf("Error: rxmsg buffer (size %zu) too small for data.\n", size);
+					goto again;
+				}
+
+				len += res;
+			}
 
 			/* delimiter '\0' for Adobe(TM) Flash(TM) XML sockets */
-			strcat(rxmsg, ">\0");
+			res = snprintf(rxmsg + len, size - len, ">");
+			if (res < 0 || (size_t)res >= (size - len)) {
+				printf("Error: rxmsg buffer (size %zu) too small for data.\n", size);
+				continue;
+			}
 
-			send(sa, rxmsg, strlen(rxmsg) + 1, 0);
+			len += res;
+
+			send(sa, rxmsg, len + 1, 0);
 		}
 
 

canerrsim.c

@@ -25,6 +25,7 @@
 #include <linux/can/error.h>
 #include <linux/can/raw.h>
 #include <net/if.h>
+#include <stdarg.h>
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
@@ -122,27 +123,25 @@ void show_help_and_exit()
 	exit(EXIT_SUCCESS);
 }
 
-void err_exit(const char *msg)
+void __attribute__((format (printf, 1, 2))) err_exit(const char *format, ...)
 {
-	printf("%s", msg);
-	exit(EXIT_FAILURE);
-}
+	va_list ap;
 
-void show_custom_format_and_exit(const char *param, const char *format)
-{
-	char str_buf[80];
-	sprintf(str_buf, format, param);
-	err_exit(str_buf);
+	va_start(ap, format);
+	vfprintf(stdout, format, ap);
+	va_end(ap);
+
+	exit(EXIT_FAILURE);
 }
 
 void show_invalid_option(const char *option)
 {
-	show_custom_format_and_exit(option, "Error: Invalid option %s\n");
+	err_exit("Error: Invalid option %s\n", option);
 }
 
 void show_err_and_exit(const char *err_type)
 {
-	show_custom_format_and_exit(err_type, "Error: You can only have one %s parameter!\n");
+	err_exit("Error: You can only have one %s parameter!\n", err_type);
 }
 
 void show_loc_err_and_exit()
@@ -176,7 +175,6 @@ int main(int argc, char *argv[])
 	struct ifreq ifr;
 	struct can_frame frame;
 	bool show_bits = false, location_processed = false, transceiver_processed = false, arbitration_processed = false;
-	char tmp_str[256];
 
 	printf("CAN Sockets Error Messages Simulator\n");
 	if (argc < 3)
@@ -537,24 +535,25 @@ int main(int argc, char *argv[])
 
 	// create socket
 	if ((sock = socket(PF_CAN, SOCK_RAW, CAN_RAW)) < 0)
-		err_exit("Error while opening socket");
+		err_exit("Error while opening socket\n");
 
 	// set interface name
+	if (strlen(argv[1]) >= IFNAMSIZ)
+		err_exit("Name of CAN device '%s' is too long!\n\n", argv[1]);
+
 	strcpy(ifr.ifr_name, argv[1]); // can0, vcan0...
-	if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0) {
-		sprintf(tmp_str, "Error setting CAN interface name %s", argv[1]);
-		err_exit(tmp_str);
-	}
+	if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0)
+		err_exit("Error setting CAN interface name %s\n", argv[1]);
 
 	// bind socket to the CAN interface
 	addr.can_family = AF_CAN;
 	addr.can_ifindex = ifr.ifr_ifindex;
 	if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
-		err_exit("Error in socket bind");
+		err_exit("Error in socket bind\n");
 
 	// Send CAN error frame
 	if (write(sock, &frame, sizeof(frame)) < 0)
-		err_exit("Error writing to socket");
+		err_exit("Error writing to socket\n");
 	else
 		printf("CAN error frame sent\n");
 

isotpsniffer.c

@@ -59,6 +59,7 @@
 #include <linux/can.h>
 #include <linux/can/isotp.h>
 #include <linux/sockios.h>
+#include <errno.h>
 
 #define NO_CAN_ID 0xFFFFFFFFU
 
@@ -66,6 +67,8 @@
 #define FORMAT_ASCII 2
 #define FORMAT_DEFAULT (FORMAT_ASCII | FORMAT_HEX)
 
+#define PDU_BUF_SIZE 4096
+
 void print_usage(char *prg)
 {
 	fprintf(stderr, "\nUsage: %s [options] <CAN interface>\n", prg);
@@ -79,6 +82,7 @@ void print_usage(char *prg)
 	fprintf(stderr, "         -f <format>  (1 = HEX, 2 = ASCII, 3 = HEX & ASCII - default: %d)\n", FORMAT_DEFAULT);
 	fprintf(stderr, "         -L           (set link layer options for CAN FD)\n");
 	fprintf(stderr, "         -h <len>     (head: print only first <len> bytes)\n");
+	fprintf(stderr, "         -i           (ignore syscall errors to receive malformed PDUs)\n");
 	fprintf(stderr, "\nCAN IDs and addresses are given and expected in hexadecimal values.\n");
 	fprintf(stderr, "\n");
 }
@@ -189,15 +193,16 @@ int main(int argc, char **argv)
 	int head = 0;
 	int timestamp = 0;
 	int format = FORMAT_DEFAULT;
+	int ignore_errors = 0;
 	canid_t src = NO_CAN_ID;
 	canid_t dst = NO_CAN_ID;
 	extern int optind, opterr, optopt;
 	static struct timeval tv, last_tv;
 
-	unsigned char buffer[4096];
+	unsigned char buffer[PDU_BUF_SIZE];
 	int nbytes;
 
-	while ((opt = getopt(argc, argv, "s:d:x:X:h:ct:f:L?")) != -1) {
+	while ((opt = getopt(argc, argv, "s:d:x:X:h:ct:f:L?i")) != -1) {
 		switch (opt) {
 		case 's':
 			src = strtoul(optarg, NULL, 16);
@@ -249,6 +254,10 @@ int main(int argc, char **argv)
 			}
 			break;
 
+		case 'i':
+			ignore_errors = 1;
+			break;
+
 		case '?':
 			print_usage(basename(argv[0]));
 			goto out;
@@ -367,31 +376,37 @@ int main(int argc, char **argv)
 		}
 
 		if (FD_ISSET(s, &rdfs)) {
-			nbytes = read(s, buffer, 4096);
+			nbytes = read(s, buffer, PDU_BUF_SIZE);
 			if (nbytes < 0) {
 				perror("read socket s");
 				r = 1;
+				if(!ignore_errors)
 					goto out;
 			}
-			if (nbytes > 4095) {
+			if (nbytes > (PDU_BUF_SIZE - 1)) {
 				r = 1;
+				fprintf(stderr, "PDU length %d longer than PDU buffer: %s\n", nbytes, strerror(errno));
 				goto out;
 			}
+			if(nbytes > 0)
 				printbuf(buffer, nbytes, color?2:0, timestamp, format,
 					 &tv, &last_tv, dst, s, if_name, head);
 		}
 
 		if (FD_ISSET(t, &rdfs)) {
-			nbytes = read(t, buffer, 4096);
+			nbytes = read(t, buffer, PDU_BUF_SIZE);
 			if (nbytes < 0) {
 				perror("read socket t");
 				r = 1;
+				if(!ignore_errors)
 					goto out;
 			}
-			if (nbytes > 4095) {
+			if (nbytes > (PDU_BUF_SIZE - 1)) {
 				r = 1;
+				fprintf(stderr, "PDU length %d longer than PDU buffer: %s\n", nbytes, strerror(errno));
 				goto out;
 			}
+			if(nbytes > 0)
 				printbuf(buffer, nbytes, color?1:0, timestamp, format,
 					 &tv, &last_tv, src, t, if_name, head);
 		}

mcp251xfd/mcp251xfd-regmap.c

@@ -72,8 +72,7 @@ int mcp251xfd_regmap_read(struct mcp251xfd_priv *priv,
 		return 0;
 
 	/* maybe it's something like "spi0.0" */
-	tmp = strchr(file_path, '/');
-	if (tmp)
+	if (strchr(file_path, '/'))
 		return -ENOENT;
 
 	/* first try literally */