From 7a673d9947d11a37d08be89a5c157afdfd377f9f Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue, 9 Oct 2012 12:47:31 -0400
Subject: [PATCH] Fix: memcpy of string is larger than source

Hollis Blanchard <hollis_blanchard@mentor.com> wrote:
> I seem to have hit a little problem with a "hello world" test app and
> lttng-ust 2.0.3. lttng-ust.git seems to be affected as well. Basically,
> I created a single UST tracepoint, but as soon as I run "lttng
> enable-event -u -a", my app segfaults. The problem seems to be that when
> creating the event to pass to ltt_event_create(), we try to memcpy the
> full 256 bytes of name. However, the name might be shorter, and if we
> get unlucky it falls within 256 bytes of the segment boundary...

Fixing the 3 sites where this issue arise. Manually inspecting all
memcpy in the UST code returned by grep did the job.

Reported-by: Hollis Blanchard <hollis_blanchard@mentor.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
 liblttng-ust/ltt-events.c | 3 ++-
 liblttng-ust/ltt-probes.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/liblttng-ust/ltt-events.c b/liblttng-ust/ltt-events.c
index 82a1119c..d2c922b6 100644
--- a/liblttng-ust/ltt-events.c
+++ b/liblttng-ust/ltt-events.c
@@ -248,9 +248,10 @@ int pending_probe_fix_events(const struct lttng_event_desc *desc)
 
 				memcpy(&event_param, &sw->event_param,
 						sizeof(event_param));
-				memcpy(event_param.name,
+				strncpy(event_param.name,
 					desc->name,
 					sizeof(event_param.name));
+				event_param.name[sizeof(event_param.name) - 1] = '\0';
 				/* create event */
 				ret = ltt_event_create(sw->chan,
 					&event_param, NULL,
diff --git a/liblttng-ust/ltt-probes.c b/liblttng-ust/ltt-probes.c
index 02df21b2..15c83873 100644
--- a/liblttng-ust/ltt-probes.c
+++ b/liblttng-ust/ltt-probes.c
@@ -254,9 +254,10 @@ void ltt_probes_create_wildcard_events(struct wildcard_entry *entry,
 
 				memcpy(&event_param, &wildcard->event_param,
 						sizeof(event_param));
-				memcpy(event_param.name,
+				strncpy(event_param.name,
 					event_desc->name,
 					sizeof(event_param.name));
+				event_param.name[sizeof(event_param.name) - 1] = '\0';
 				/* create event */
 				ret = ltt_event_create(wildcard->chan,
 					&event_param, NULL,
-- 
2.34.1