From nobody Wed Jun 17 07:22:58 2026 Received: from ha.d.sender-sib.com (ha.d.sender-sib.com [77.32.148.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66A5D351C05 for ; Sat, 25 Apr 2026 11:36:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=77.32.148.27 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777116965; cv=none; b=nLKVozyDIWPprpW15rWEu+8XVgu91CbwJ5dtVGu8s1jnntbAa6rR3HPEjJHJsHJaUjzpAFLI5ZtXRElA5Ys6XXwrNoQhQGQa3qrTY2I+sBkUtJx7tg9zQo/RzE7Dl2ehS/xktrTiKs+g6bgbxHzaEg3pTpye/iaWNUWRPXzJJFI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777116965; c=relaxed/simple; bh=IAaSj4SfLIkqiX3UnNBImFwrNYOrqN+38fZ8sLznuwk=; h=Cc:Message-Id:From:To:Date:Subject:Mime-Version; b=Xr45ceb3SSgkJSOfdxt45KIw/sJxm3fhSU0iRVldYQtUPfozDC4NGDUOoq2DnwWws0xefXgnWtJaINIciGB/6cius2h0X4novRVJIyNrKd75liojTDTIXV6mfjLkTKT2AdqaggCr1HKB+LcpaVH0/1gxh/gpnlqjG1nnJcpOcXc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=unknownbbqr.xyz; spf=pass smtp.mailfrom=ha.d.sender-sib.com; dkim=pass (2048-bit key) header.d=unknownbbqr.xyz header.i=@unknownbbqr.xyz header.b=HAEgVfT2; arc=none smtp.client-ip=77.32.148.27 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=unknownbbqr.xyz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ha.d.sender-sib.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=unknownbbqr.xyz header.i=@unknownbbqr.xyz header.b="HAEgVfT2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unknownbbqr.xyz; q=dns/txt; s=brevo1; bh=/hXgqbb1wNZcOkd3OODeRU80ZxvWKg+F3Ac9OA3Rfl4=; h=from:subject:date:to:cc:mime-version:content-transfer-encoding:list-unsubscribe:x-csa-complaints:list-unsubscribe-post:message-id:x-sib-id:feedback-id; b=HAEgVfT2/rUNmtKn+VuVtOkB85KLlEJkOkH8s30xtZiqpJTgM9A0XtDCAoTmrzVmGiDo7zZYPPe2 m8vEWzuRx0GyeWCybgCWnw6FWKXenkZOobvg/db4vE/uWiPLXyB2zss9uKH+xW4I5O0vUZ3FOqPe B3sNetmeWJeJC+KczaVYrzlBR3bvTF7yf94c/M01yqU5A9ouZDGLBOkhdu3Qo6eehCfqRV+6KEqy L2ZED2B6SoZnh+h0CAB9KaKCw4+zCFLOdS9oH5+xSOyhS7fkSxsShxZ3USeDYaYOwxjMFulQaVvN ri5ne5uSKUTbCFgqqp3qZA6whUi2+fH90T6Sjw== Cc: , , "Ali Ahmet MEMIS" Message-Id: Feedback-ID: 77.32.148.27:10473219_-1:10473219:Sendinblue X-CSA-Complaints: csa-complaints@eco.de X-sib-id: OAijeR_lN8KvDGSPyZCMOPTSZv-KAsJkKeFOOD6G1K-rPQzNGGRev75ms7zxvC4xg8H0R4RZvWXC7dQzdwuv-XdINMQDPUHxk-G1MSSro5F69Fzezy8igFRchlDO2M6yyrYYf5u6fR1SYRayK46kFBxeaqMQHyNprFzr_IRKct3mmN2njsu0YBWpJQ Origin-messageId: <20260425113557.24-1-dev@unknownbbqr.xyz> List-Unsubscribe-Post: List-Unsubscribe=One-Click From: "Ali Ahmet MEMIS" X-Mailin-EID: NDQzNzMzMzgyfmxpbnV4LWtlcm5lbEB2Z2VyLmtlcm5lbC5vcmd%2BPDIwMjYwNDI1MTEzNTU3LjI0LTEtZGV2QHVua25vd25iYnFyLnh5ej5%2BaGEuZC5zZW5kZXItc2liLmNvbQ%3D%3D To: ,,,, Date: Sat, 25 Apr 2026 14:35:57 +0300 Subject: [PATCH v2] tools/hv: fix parse_ip_val_buffer out-of-bounds write Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" parse_ip_val_buffer() validates the parsed token length against out_len, bu= t several callers passed MAX_IP_ADDR_SIZE * 2 while the destination buffers= are much smaller stack arrays (e.g. INET6_ADDRSTRLEN). This can lead to out-of-bounds writes via strcpy() when a long token is par= sed from host-provided IP/subnet strings. Use size_t for out_len, switch to bounded copy with memcpy() + explicit NUL= termination, and pass the actual destination buffer sizes at all call site= s. Signed-off-by: Ali Ahmet MEMIS --- tools/hv/hv_kvp_daemon.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c index 1f64c680b..bb31ba9e9 100644 --- a/tools/hv/hv_kvp_daemon.c +++ b/tools/hv/hv_kvp_daemon.c @@ -1162,10 +1162,11 @@ static int is_ipv4(char *addr) } =20 static int parse_ip_val_buffer(char *in_buf, int *offset, - char *out_buf, int out_len) + char *out_buf, size_t out_len) { char *x; char *start; + size_t copy_len; =20 /* * in_buf has sequence of characters that are separated by @@ -1188,8 +1189,10 @@ static int parse_ip_val_buffer(char *in_buf, int *of= fset, while (start[i] =3D=3D ' ') i++; =20 - if ((x - start) <=3D out_len) { - strcpy(out_buf, (start + i)); + copy_len =3D x - (start + i); + if (copy_len < out_len) { + memcpy(out_buf, start + i, copy_len); + out_buf[copy_len] =3D '\0'; *offset +=3D (x - start) + 1; return 1; } @@ -1223,7 +1226,7 @@ static int process_ip_string(FILE *f, char *ip_string= , int type) memset(addr, 0, sizeof(addr)); =20 while (parse_ip_val_buffer(ip_string, &offset, addr, - (MAX_IP_ADDR_SIZE * 2))) { + sizeof(addr))) { =20 sub_str[0] =3D 0; if (is_ipv4(addr)) { @@ -1348,7 +1351,7 @@ static int process_dns_gateway_nm(FILE *f, char *ip_s= tring, int type, memset(addr, 0, sizeof(addr)); =20 if (!parse_ip_val_buffer(ip_string, &ip_offset, addr, - (MAX_IP_ADDR_SIZE * 2))) + sizeof(addr))) break; =20 ip_ver =3D ip_version_check(addr); @@ -1400,12 +1403,11 @@ static int process_ip_string_nm(FILE *f, char *ip_s= tring, char *subnet, memset(subnet_addr, 0, sizeof(subnet_addr)); =20 while (parse_ip_val_buffer(ip_string, &ip_offset, addr, - (MAX_IP_ADDR_SIZE * 2)) && + sizeof(addr)) && parse_ip_val_buffer(subnet, - &subnet_offset, - subnet_addr, - (MAX_IP_ADDR_SIZE * - 2))) { + &subnet_offset, + subnet_addr, + sizeof(subnet_addr))) { ip_ver =3D ip_version_check(addr); if (ip_ver < 0) continue; base-commit: 2e68039281932e6dc37718a1ea7cbb8e2cda42e6 --=20 2.53.0