Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
bna: adjust ’name’ buf size of bna_tcb and bna_ccb structures
To have enough space to write all possible sprintf() args. Currently ’name’ size is 16, but the first ‘%s’ specifier may already need at least 16 characters, since ‘bnad->netdev->name’ is used there.
For ‘%d’ specifiers, assume that they require:
- 1 char for ’tx_id + tx_info->tcb[i]->id’ sum, BNAD_MAX_TXQ_PER_TX is 8
- 2 chars for ‘rx_id + rx_info->rx_ctrl[i].ccb->id’, BNAD_MAX_RXP_PER_RX is 16
And replace sprintf with snprintf.
Detected using the static analysis tool - Svace.
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
- Affected packages:
- linux-hwe @ 4.15.0 (+12 more)
In the Linux kernel, the following vulnerability has been resolved:
bna: adjust ’name’ buf size of bna_tcb and bna_ccb structures
To have enough space to write all possible sprintf() args. Currently ’name’ size is 16, but the first ‘%s’ specifier may already need at least 16 characters, since ‘bnad->netdev->name’ is used there.
For ‘%d’ specifiers, assume that they require:
- 1 char for ’tx_id + tx_info->tcb[i]->id’ sum, BNAD_MAX_TXQ_PER_TX is 8
- 2 chars for ‘rx_id + rx_info->rx_ctrl[i].ccb->id’, BNAD_MAX_RXP_PER_RX is 16
And replace sprintf with snprintf.
Detected using the static analysis tool - Svace.