Re: CVE-2024-49995: tipc: guard against string buffer overrun

[Harshit Mogalapalli]

Hi,


On 24/04/25 13:47, Dan Carpenter wrote:
> On Thu, Apr 24, 2025 at 11:41:01AM +0530, Harshit Mogalapalli wrote:
...
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6555a2a9212be6983d2319d65276484f7c5f431a&context=30
> >
> >
> >   	/* validate component parts of bearer name */
> >   	if ((media_len <= 1) || (media_len > TIPC_MAX_MEDIA_NAME) ||
> >   	    (if_len <= 1) || (if_len > TIPC_MAX_IF_NAME))
> >   		return 0;
> >
> >   	/* return bearer name components, if necessary */
> >   	if (name_parts) {
> > -		strcpy(name_parts->media_name, media_name);
> > -		strcpy(name_parts->if_name, if_name);
> > +		if (strscpy(name_parts->media_name, media_name,
> > +			    TIPC_MAX_MEDIA_NAME) < 0)
> > +			return 0;
> > +		if (strscpy(name_parts->if_name, if_name,
> > +			    TIPC_MAX_IF_NAME) < 0)
> > +			return 0;
> >   	}
> >   	return 1;
> >
> >
> >
> > both media_len and if_len have validation checks above the if(name_parts)
> > check. So I think this patch just silences the static checker warnings.
> >
> > Simon/Dan , could you please help confirming that ?
>
> Correct.  The "validate component parts of bearer name" checks are
> sufficient.  This will not affect runtime.

Thanks a lot Dan and Simon for confirming this.

Greg: Should we get this CVE-2024-49995 revoked ?


Regards,
Harshit
> regards,
> dan carpenter