projects / lttng-tools.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix: unchecked buffer size for communication header
[lttng-tools.git] / src / bin / lttng-relayd / cmd-2-11.c
diff --git a/src/bin/lttng-relayd/cmd-2-11.c b/src/bin/lttng-relayd/cmd-2-11.c
index 500f9ce482c1afc4bfbfd6804c7c409ab4119c47..cd23f22d6f3405bcf9913db0c4d97dff7b6736dc 100644 (file)
--- a/src/bin/lttng-relayd/cmd-2-11.c
+++ b/src/bin/lttng-relayd/cmd-2-11.c
@@ -87,12 +87,29 @@ int cmd_create_session_2_11(const struct lttng_buffer_view *payload,
        offset = header_len;
        session_name_view = lttng_buffer_view_from_view(payload, offset,
                        header.session_name_len);
+       if (!lttng_buffer_view_is_valid(&session_name_view)) {
+               ERR("Invalid payload in \"cmd_create_session_2_11\": buffer too short to contain session name");
+               ret = -1;
+               goto error;
+       }
+
        offset += header.session_name_len;
        hostname_view = lttng_buffer_view_from_view(payload,
                        offset, header.hostname_len);
+       if (!lttng_buffer_view_is_valid(&hostname_view)) {
+               ERR("Invalid payload in \"cmd_create_session_2_11\": buffer too short to contain hostname");
+               ret = -1;
+               goto error;
+       }
+
        offset += header.hostname_len;
        base_path_view = lttng_buffer_view_from_view(payload,
                        offset, header.base_path_len);
+       if (header.base_path_len > 0 && !lttng_buffer_view_is_valid(&base_path_view)) {
+               ERR("Invalid payload in \"cmd_create_session_2_11\": buffer too short to contain base path");
+               ret = -1;
+               goto error;
+       }
 
        /* Validate that names are NULL terminated. */
        if (session_name_view.data[session_name_view.size - 1] != '\0') {
@@ -190,9 +207,12 @@ int cmd_recv_stream_2_11(const struct lttng_buffer_view *payload,
 
        /* Validate that names are (NULL terminated. */
        channel_name_view = lttng_buffer_view_from_view(payload, header_len,
-                           header.channel_name_len);
-       pathname_view = lttng_buffer_view_from_view(payload,
-                       header_len + header.channel_name_len, header.pathname_len);
+                       header.channel_name_len);
+       if (!lttng_buffer_view_is_valid(&channel_name_view)) {
+               ERR("Invalid payload received in \"cmd_recv_stream_2_11\": buffer too short for channel name");
+               ret = -1;
+               goto error;
+       }
 
        if (channel_name_view.data[channel_name_view.size - 1] != '\0') {
                ERR("cmd_recv_stream_2_11 channel_name is invalid (not NULL terminated)");
@@ -200,6 +220,14 @@ int cmd_recv_stream_2_11(const struct lttng_buffer_view *payload,
                goto error;
        }
 
+       pathname_view = lttng_buffer_view_from_view(payload,
+                       header_len + header.channel_name_len, header.pathname_len);
+       if (!lttng_buffer_view_is_valid(&pathname_view)) {
+               ERR("Invalid payload received in \"cmd_recv_stream_2_11\": buffer too short for path name");
+               ret = -1;
+               goto error;
+       }
+
        if (pathname_view.data[pathname_view.size - 1] != '\0') {
                ERR("cmd_recv_stream_2_11 patname is invalid (not NULL terminated)");
                ret = -1;
LTTng 2.0 tools and control repository
This page took 0.023553 seconds and 4 git commands to generate.