X-Git-Url: https://git.lttng.org/?a=blobdiff_plain;ds=sidebyside;f=src%2Fbin%2Flttng-relayd%2Fcmd-2-11.c;h=aa97dd0f0e0ddfd3e36f7e7857876f70c80864a7;hb=87250ba19aec78f36e301494a03f5678fcb6fbb4;hp=500f9ce482c1afc4bfbfd6804c7c409ab4119c47;hpb=ab5be9fa2eb5ba9600a82cd18fd3cfcbac69169a;p=lttng-tools.git

diff --git a/src/bin/lttng-relayd/cmd-2-11.c b/src/bin/lttng-relayd/cmd-2-11.c
index 500f9ce48..aa97dd0f0 100644
--- a/src/bin/lttng-relayd/cmd-2-11.c
+++ b/src/bin/lttng-relayd/cmd-2-11.c
@@ -6,7 +6,6 @@
  */
 
 #define _LGPL_SOURCE
-#include <assert.h>
 #include <inttypes.h>
 
 #include <common/common.h>
@@ -87,12 +86,29 @@ int cmd_create_session_2_11(const struct lttng_buffer_view *payload,
 	offset = header_len;
 	session_name_view = lttng_buffer_view_from_view(payload, offset,
 			header.session_name_len);
+	if (!lttng_buffer_view_is_valid(&session_name_view)) {
+		ERR("Invalid payload in \"cmd_create_session_2_11\": buffer too short to contain session name");
+		ret = -1;
+		goto error;
+	}
+
 	offset += header.session_name_len;
 	hostname_view = lttng_buffer_view_from_view(payload,
 			offset, header.hostname_len);
+	if (!lttng_buffer_view_is_valid(&hostname_view)) {
+		ERR("Invalid payload in \"cmd_create_session_2_11\": buffer too short to contain hostname");
+		ret = -1;
+		goto error;
+	}
+
 	offset += header.hostname_len;
 	base_path_view = lttng_buffer_view_from_view(payload,
 			offset, header.base_path_len);
+	if (header.base_path_len > 0 && !lttng_buffer_view_is_valid(&base_path_view)) {
+		ERR("Invalid payload in \"cmd_create_session_2_11\": buffer too short to contain base path");
+		ret = -1;
+		goto error;
+	}
 
 	/* Validate that names are NULL terminated. */
 	if (session_name_view.data[session_name_view.size - 1] != '\0') {
@@ -190,9 +206,12 @@ int cmd_recv_stream_2_11(const struct lttng_buffer_view *payload,
 
 	/* Validate that names are (NULL terminated. */
 	channel_name_view = lttng_buffer_view_from_view(payload, header_len,
-			    header.channel_name_len);
-	pathname_view = lttng_buffer_view_from_view(payload,
-			header_len + header.channel_name_len, header.pathname_len);
+			header.channel_name_len);
+	if (!lttng_buffer_view_is_valid(&channel_name_view)) {
+		ERR("Invalid payload received in \"cmd_recv_stream_2_11\": buffer too short for channel name");
+		ret = -1;
+		goto error;
+	}
 
 	if (channel_name_view.data[channel_name_view.size - 1] != '\0') {
 		ERR("cmd_recv_stream_2_11 channel_name is invalid (not NULL terminated)");
@@ -200,6 +219,14 @@ int cmd_recv_stream_2_11(const struct lttng_buffer_view *payload,
 		goto error;
 	}
 
+	pathname_view = lttng_buffer_view_from_view(payload,
+			header_len + header.channel_name_len, header.pathname_len);
+	if (!lttng_buffer_view_is_valid(&pathname_view)) {
+		ERR("Invalid payload received in \"cmd_recv_stream_2_11\": buffer too short for path name");
+		ret = -1;
+		goto error;
+	}
+
 	if (pathname_view.data[pathname_view.size - 1] != '\0') {
 		ERR("cmd_recv_stream_2_11 patname is invalid (not NULL terminated)");
 		ret = -1;