From: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Date: Thu, 19 Sep 2019 18:24:34 +0000 (-0400)
Subject: Fix: lttng: out-of-bound copy of arguments in 'view' command handler
X-Git-Tag: v2.12.0-rc1~364
X-Git-Url: http://git.lttng.org/?p=lttng-tools.git;a=commitdiff_plain;h=e20ca0249f0a7b3b8e2d8f50437e63ea17b8f6e9

Fix: lttng: out-of-bound copy of arguments in 'view' command handler

The 'size' operand of memcpy() does not indicate the length of the
opts array; it is the size of the resulting array once the opts array
is concatenated with the options being added in this function. This
results in out-of-bound read(s) in the opts array.

Use 'sizeof(char *) * opts_len' as the length to copy at the beginning
of the resulting array.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
---

diff --git a/src/bin/lttng/commands/view.c b/src/bin/lttng/commands/view.c
index 0325e505c..8e63a8997 100644
--- a/src/bin/lttng/commands/view.c
+++ b/src/bin/lttng/commands/view.c
@@ -188,7 +188,7 @@ static char **alloc_argv_from_local_opts(const char **opts, size_t opts_len,
 		goto error;
 	}
 
-	memcpy(argv, opts, size);
+	memcpy(argv, opts, sizeof(char *) * opts_len);
 
 	if (session_live_mode) {
 		argv[opts_len] = "-i";