From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue, 20 Mar 2012 18:24:36 +0000 (-0400)
Subject: Fix out-of-bound write in ltt-events.c
X-Git-Tag: v2.0.0-rc4~1
X-Git-Url: http://git.lttng.org/?p=lttng-ust.git;a=commitdiff_plain;h=48bf7c27ee5af02d9f46a1d5bfa899edc3fd078a

Fix out-of-bound write in ltt-events.c

Valgrind complains that the size allocated is too small for the memcpy,
rightly so (off by one).

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---

diff --git a/liblttng-ust/ltt-events.c b/liblttng-ust/ltt-events.c
index 2b06f3c0..2613d513 100644
--- a/liblttng-ust/ltt-events.c
+++ b/liblttng-ust/ltt-events.c
@@ -181,20 +181,20 @@ int add_pending_probe(struct ltt_event *event, const char *name,
 {
 	struct cds_hlist_head *head;
 	struct ust_pending_probe *e;
-	size_t name_len = strlen(name);
+	size_t name_len = strlen(name) + 1;
 	uint32_t hash;
 
-	if (name_len > LTTNG_UST_SYM_NAME_LEN - 1) {
-		WARN("Truncating tracepoint name %s which exceeds size limits of %u chars", name, LTTNG_UST_SYM_NAME_LEN - 1);
-		name_len = LTTNG_UST_SYM_NAME_LEN - 1;
+	if (name_len > LTTNG_UST_SYM_NAME_LEN) {
+		WARN("Truncating tracepoint name %s which exceeds size limits of %u chars", name, LTTNG_UST_SYM_NAME_LEN);
+		name_len = LTTNG_UST_SYM_NAME_LEN;
 	}
-	hash = jhash(name, name_len, 0);
+	hash = jhash(name, name_len - 1, 0);
 	head = &pending_probe_table[hash & (PENDING_PROBE_HASH_SIZE - 1)];
 	e = zmalloc(sizeof(struct ust_pending_probe) + name_len);
 	if (!e)
 		return -ENOMEM;
-	memcpy(&e->name[0], name, name_len + 1);
-	e->name[name_len] = '\0';
+	memcpy(&e->name[0], name, name_len);
+	e->name[name_len - 1] = '\0';
 	e->loglevel_type = loglevel_type;
 	e->loglevel = loglevel;
 	cds_hlist_add_head(&e->node, head);
@@ -230,7 +230,7 @@ int pending_probe_fix_events(const struct lttng_event_desc *desc)
 	const char *name = desc->name;
 	int ret = 0;
 	struct lttng_ust_event event_param;
-	size_t name_len = strlen(name);
+	size_t name_len = strlen(name) + 1;
 	uint32_t hash;
 
 	/* Wildcard */
@@ -265,11 +265,11 @@ int pending_probe_fix_events(const struct lttng_event_desc *desc)
 		}
 	}
 
-	if (name_len > LTTNG_UST_SYM_NAME_LEN - 1) {
-		WARN("Truncating tracepoint name %s which exceeds size limits of %u chars", name, LTTNG_UST_SYM_NAME_LEN - 1);
-		name_len = LTTNG_UST_SYM_NAME_LEN - 1;
+	if (name_len > LTTNG_UST_SYM_NAME_LEN) {
+		WARN("Truncating tracepoint name %s which exceeds size limits of %u chars", name, LTTNG_UST_SYM_NAME_LEN);
+		name_len = LTTNG_UST_SYM_NAME_LEN;
 	}
-	hash = jhash(name, name_len, 0);
+	hash = jhash(name, name_len - 1, 0);
 	head = &pending_probe_table[hash & (PENDING_PROBE_HASH_SIZE - 1)];
 	cds_hlist_for_each_entry_safe(e, node, p, head, node) {
 		struct ltt_event *event;