Fix: lttng ABI: lttng_counter_ioctl() tainted scalar

Found by Coverity:

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_aggregate.index.number_dimensions" as a loop boundary.

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_clear.index.number_dimensions" as a loop boundary.

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_read.index.number_dimensions" as a loop boundary.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I7d35cf96781bb18837fe4564e4e8a34aa2ddc310

diff --git a/src/lttng-abi.c b/src/lttng-abi.c
index c0ab0a488d7cade60defda6404badfc2e7061059..fa7eca6ff69109f5de3b6f93abe4b98ef299a68c 100644 (file)
--- a/src/lttng-abi.c
+++ b/src/lttng-abi.c
@@ -650,6 +650,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                if (validate_zeroed_padding(local_counter_read.padding,
                                sizeof(local_counter_read.padding)))
                        return -EINVAL;
+               if (local_counter_read.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+                       return -EINVAL;
 
                /* Cast all indexes into size_t. */
                for (i = 0; i < local_counter_read.index.number_dimensions; i++)
@@ -685,6 +687,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                if (validate_zeroed_padding(local_counter_aggregate.padding,
                                sizeof(local_counter_aggregate.padding)))
                        return -EINVAL;
+               if (local_counter_aggregate.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+                       return -EINVAL;
 
                /* Cast all indexes into size_t. */
                for (i = 0; i < local_counter_aggregate.index.number_dimensions; i++)
@@ -716,6 +720,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                if (validate_zeroed_padding(local_counter_clear.padding,
                                sizeof(local_counter_clear.padding)))
                        return -EINVAL;
+               if (local_counter_clear.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+                       return -EINVAL;
 
                /* Cast all indexes into size_t. */
                for (i = 0; i < local_counter_clear.index.number_dimensions; i++)