Fix: scanf unbounded input

[lttng-tools.git] / src / bin / lttng / commands / enable_events.c

diff --git a/src/bin/lttng/commands/enable_events.c b/src/bin/lttng/commands/enable_events.c
index 29a399e9714ac280011a41837619d500c452bdcd..bd2d997858395ea164b6bbbf410adc258d5eea28 100644 (file)
--- a/src/bin/lttng/commands/enable_events.c
+++ b/src/bin/lttng/commands/enable_events.c
@@ -30,6 +30,10 @@
 #include "../command.h"
 #include <src/common/sessiond-comm/sessiond-comm.h>
 
+#if (LTTNG_SYMBOL_NAME_LEN == 256)
+#define LTTNG_SYMBOL_NAME_LEN_SCANF_IS_A_BROKEN_API    "255"
+#endif
+
 static char *opt_event_list;
 static int opt_event_type;
 static const char *opt_loglevel;
@@ -226,6 +230,7 @@ static int parse_probe_opts(struct lttng_event *ev, char *opt)
 {
        int ret;
        char s_hex[19];
+#define S_HEX_LEN_SCANF_IS_A_BROKEN_API "18"   /* 18 is (19 - 1) (\0 is extra) */
        char name[LTTNG_SYMBOL_NAME_LEN];
 
        if (opt == NULL) {
@@ -234,7 +239,8 @@ static int parse_probe_opts(struct lttng_event *ev, char *opt)
        }
 
        /* Check for symbol+offset */
-       ret = sscanf(opt, "%[^'+']+%s", name, s_hex);
+       ret = sscanf(opt, "%" LTTNG_SYMBOL_NAME_LEN_SCANF_IS_A_BROKEN_API
+                       "[^'+']+%" S_HEX_LEN_SCANF_IS_A_BROKEN_API "s", name, s_hex);
        if (ret == 2) {
                strncpy(ev->attr.probe.symbol_name, name, LTTNG_SYMBOL_NAME_LEN);
                ev->attr.probe.symbol_name[LTTNG_SYMBOL_NAME_LEN - 1] = '\0';
@@ -252,7 +258,8 @@ static int parse_probe_opts(struct lttng_event *ev, char *opt)
 
        /* Check for symbol */
        if (isalpha(name[0])) {
-               ret = sscanf(opt, "%s", name);
+               ret = sscanf(opt, "%" LTTNG_SYMBOL_NAME_LEN_SCANF_IS_A_BROKEN_API "s",
+                       name);
                if (ret == 1) {
                        strncpy(ev->attr.probe.symbol_name, name, LTTNG_SYMBOL_NAME_LEN);
                        ev->attr.probe.symbol_name[LTTNG_SYMBOL_NAME_LEN - 1] = '\0';
@@ -265,7 +272,7 @@ static int parse_probe_opts(struct lttng_event *ev, char *opt)
        }
 
        /* Check for address */
-       ret = sscanf(opt, "%s", s_hex);
+       ret = sscanf(opt, "%" S_HEX_LEN_SCANF_IS_A_BROKEN_API "s", s_hex);
        if (ret > 0) {
                if (*s_hex == '\0') {
                        ERR("Invalid probe address %s", s_hex);