From nobody Wed Jun 17 07:35:33 2026 Received: from ha.d.sender-sib.com (ha.d.sender-sib.com [77.32.148.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9397A33D6FA for ; Thu, 23 Apr 2026 18:06:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=77.32.148.27 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776967597; cv=none; b=og0zUt01DwCacbO9D7X2xJhXyTQfc2t25b+HTX34ElVeEc+xBj/oOJGvEyEBp0qpaJdZoj7JALf7R5Vpn016GMprkzp9NdoNQdxb8d0fF4VOwC1DsG6RCsU44t+kAIAqSxcZyh19ftgTW20b8l027KuV2EthlA7d2sPBdn3dpH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776967597; c=relaxed/simple; bh=HXgw0xCF/A+VSScfuz+pjLZwlRW774RPWXvvA2uAphE=; h=Message-Id:Date:From:To:Subject:Cc:Mime-Version; b=sUPyBIBfg9MP1c2hd9IqoX6enfHbcjnl4goXbNtwg1mmHBYOLfDoAxBARq/AKzWyfcbErhFnk30wYjnTDQr0t6DpspZtXFBR4DUghPnS9a3qzORn4co2gE++FSwxQGcFrdxOXeRY8mQV8qwVY7k5KLzZ6kc46zL0lMOUAL+2zu0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=unknownbbqr.xyz; spf=pass smtp.mailfrom=ha.d.sender-sib.com; dkim=pass (2048-bit key) header.d=unknownbbqr.xyz header.i=@unknownbbqr.xyz header.b=dVgd9DTC; arc=none smtp.client-ip=77.32.148.27 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=unknownbbqr.xyz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ha.d.sender-sib.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=unknownbbqr.xyz header.i=@unknownbbqr.xyz header.b="dVgd9DTC" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unknownbbqr.xyz; q=dns/txt; s=brevo1; bh=TKXC6dWzW+FWDLZF204bMaYSJzDpONYm3mWkhEbFx2U=; h=from:subject:date:to:cc:mime-version:content-transfer-encoding:list-unsubscribe:x-csa-complaints:list-unsubscribe-post:message-id:x-sib-id:feedback-id; b=dVgd9DTC7+n4Z5RGPUPU7bN61WJ5KNgpKU+yApJ1ux7CVsK+Hy3s2oX5gjFe28sg5pmQOCwjFlNt 9JQBogFKLSVrvG6KP5ioqWE+cUNeESkvk+ccYi7GVhxp+dGeduuojvBa0S+syzp5X0JpV7w3JbGR tkGEU8UJ+dx7D0I28Viyb2sm/ZsLS5QH5cVP3AtJ+iDhkPCx3epS/4e8UYBZEtmzdOQBQjL2LK0+ FIEbQQbi16/aIRv1dnrTweUPLin+vWB5/pioAZHdXmBdULNdqMIAJOSC+vqMOY/FsBIcPeZxoqTL mPtGgDayv1CS3cRrgpQw778yg+jEpBbW7vkJ/g== Message-Id: Origin-messageId: <20260423180630.6521-1-dev@unknownbbqr.xyz> Date: Thu, 23 Apr 2026 21:06:30 +0300 X-sib-id: NL2un_b3GIFzKzCB8VtkyHExVObdRNkvX8AhQfhRkKepNFP-TZBH0x5jhFT0GiVmlp4EgnsGMnYU9gKlm2v46knkDALhbJetDRM7blDdNiEDZhrIer0fhI9bS7TS-ZfoP1Uig3IQoSZ5L1CvdOlc7XsftnYCOHt2K8UeoiDMIBWMIXrpiGaoHkmcPQ List-Unsubscribe-Post: List-Unsubscribe=One-Click Feedback-ID: 77.32.148.27:10473219_-1:10473219:Sendinblue From: "unknownbbqrx" X-CSA-Complaints: csa-complaints@eco.de X-Mailin-EID: NDQzNzMzMzgyfmxpbnV4LWtlcm5lbEB2Z2VyLmtlcm5lbC5vcmd%2BPDIwMjYwNDIzMTgwNjMwLjY1MjEtMS1kZXZAdW5rbm93bmJicXIueHl6Pn5oYS5kLnNlbmRlci1zaWIuY29t To: ,,,, Subject: [PATCH] tools/hv: fix parse_ip_val_buffer out-of-bounds write Cc: , , "unknownbbqrx" X-Mailer: git-send-email 2.53.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" parse_ip_val_buffer() validates the parsed token length against out_len, but several callers passed MAX_IP_ADDR_SIZE * 2 while the destination buffers are much smaller stack arrays (e.g. INET6_ADDRSTRLEN). This can lead to out-of-bounds writes via strcpy() when a long token is parsed from host-provided IP/subnet strings. Use size_t for out_len, switch to bounded copy with memcpy() + explicit NUL termination, and pass the actual destination buffer sizes at all call sites. Signed-off-by: unknownbbqrx --- tools/hv/hv_kvp_daemon.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c index c02f8a341..ecf123bce 100644 --- a/tools/hv/hv_kvp_daemon.c +++ b/tools/hv/hv_kvp_daemon.c @@ -1188,10 +1188,11 @@ static int is_ipv4(char *addr) } =20 static int parse_ip_val_buffer(char *in_buf, int *offset, - char *out_buf, int out_len) + char *out_buf, size_t out_len) { char *x; char *start; + size_t copy_len; =20 /* * in_buf has sequence of characters that are separated by @@ -1214,8 +1215,10 @@ static int parse_ip_val_buffer(char *in_buf, int *of= fset, while (start[i] =3D=3D ' ') i++; =20 - if ((x - start) <=3D out_len) { - strcpy(out_buf, (start + i)); + copy_len =3D x - (start + i); + if (copy_len < out_len) { + memcpy(out_buf, start + i, copy_len); + out_buf[copy_len] =3D '\0'; *offset +=3D (x - start) + 1; return 1; } @@ -1249,7 +1252,7 @@ static int process_ip_string(FILE *f, char *ip_string= , int type) memset(addr, 0, sizeof(addr)); =20 while (parse_ip_val_buffer(ip_string, &offset, addr, - (MAX_IP_ADDR_SIZE * 2))) { + sizeof(addr))) { =20 sub_str[0] =3D 0; if (is_ipv4(addr)) { @@ -1374,7 +1377,7 @@ static int process_dns_gateway_nm(FILE *f, char *ip_s= tring, int type, memset(addr, 0, sizeof(addr)); =20 if (!parse_ip_val_buffer(ip_string, &ip_offset, addr, - (MAX_IP_ADDR_SIZE * 2))) + sizeof(addr))) break; =20 ip_ver =3D ip_version_check(addr); @@ -1426,12 +1429,11 @@ static int process_ip_string_nm(FILE *f, char *ip_s= tring, char *subnet, memset(subnet_addr, 0, sizeof(subnet_addr)); =20 while (parse_ip_val_buffer(ip_string, &ip_offset, addr, - (MAX_IP_ADDR_SIZE * 2)) && + sizeof(addr)) && parse_ip_val_buffer(subnet, - &subnet_offset, - subnet_addr, - (MAX_IP_ADDR_SIZE * - 2))) { + &subnet_offset, + subnet_addr, + sizeof(subnet_addr))) { ip_ver =3D ip_version_check(addr); if (ip_ver < 0) continue; base-commit: 2e68039281932e6dc37718a1ea7cbb8e2cda42e6 prerequisite-patch-id: b61dd51dee390277603975bf729a687113185c3a prerequisite-patch-id: df28525061dd528875c7c75880b4684d80f4aa7d prerequisite-patch-id: 64c48c6f2222781631304d9d4d7d1c712c002610 prerequisite-patch-id: 9be258692732026bf560ed9887adbd02a8887263 --=20 2.53.0