Fix: illegal memory access in list_events
authorMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Tue, 17 May 2016 01:42:46 +0000 (21:42 -0400)
committerJérémie Galarneau <jeremie.galarneau@efficios.com>
Tue, 17 May 2016 04:29:44 +0000 (00:29 -0400)
Found by Coverity:
CID 1243022 (#1 of 1): Buffer not null terminated
(BUFFER_SIZE_WARNING)23. buffer_size_warning: Calling strncpy with a
maximum size argument of 256 bytes on destination array (tmp_events +
i).name of size 256 bytes might leave the destination string
unterminated.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
src/bin/lttng-sessiond/agent.c

index 6841d41928660be42594fe8c6b8a0dc08cc6d300..8e1ef0849fb13b4efb6c27e0e92c68d3fe71784d 100644 (file)
@@ -353,8 +353,11 @@ static ssize_t list_events(struct agent_app *app, struct lttng_event **events)
 
        for (i = 0; i < nb_event; i++) {
                offset += len;
-               strncpy(tmp_events[i].name, reply->payload + offset,
-                               sizeof(tmp_events[i].name));
+               if (lttng_strncpy(tmp_events[i].name, reply->payload + offset,
+                               sizeof(tmp_events[i].name))) {
+                       ret = LTTNG_ERR_INVALID;
+                       goto error;
+               }
                tmp_events[i].pid = app->pid;
                tmp_events[i].enabled = -1;
                len = strlen(reply->payload + offset) + 1;
This page took 0.033996 seconds and 4 git commands to generate.