Fix: illegal memory access in add_uri_to_consumer
authorMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Tue, 17 May 2016 01:42:43 +0000 (21:42 -0400)
committerJérémie Galarneau <jeremie.galarneau@efficios.com>
Tue, 17 May 2016 04:29:44 +0000 (00:29 -0400)
Found by Coverity:

CID 1243038 (#1 of 1): Buffer not null terminated
(BUFFER_SIZE_WARNING)15. buffer_size_warning: Calling strncpy with a
maximum size argument of 4096 bytes on destination array
consumer->dst.trace_path of size 4096 bytes might leave the destination
string unterminated.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
src/bin/lttng-sessiond/cmd.c

index d443d7926b7d9c25fc1b3dcdcbb8b1ced0bc97a4..1327e42e4ddfa8efdd5a550179000a8f77f34150 100644 (file)
@@ -758,12 +758,15 @@ static int add_uri_to_consumer(struct consumer_output *consumer,
                DBG2("Setting trace directory path from URI to %s", uri->dst.path);
                memset(consumer->dst.trace_path, 0,
                                sizeof(consumer->dst.trace_path));
-               strncpy(consumer->dst.trace_path, uri->dst.path,
-                               sizeof(consumer->dst.trace_path));
+               /* Explicit length checks for strcpy and strcat. */
+               if (strlen(uri->dst.path) + strlen(default_trace_dir)
+                               >= sizeof(consumer->dst.trace_path)) {
+                       ret = LTTNG_ERR_FATAL;
+                       goto error;
+               }
+               strcpy(consumer->dst.trace_path, uri->dst.path);
                /* Append default trace dir */
-               strncat(consumer->dst.trace_path, default_trace_dir,
-                               sizeof(consumer->dst.trace_path) -
-                               strlen(consumer->dst.trace_path) - 1);
+               strcat(consumer->dst.trace_path, default_trace_dir);
                /* Flag consumer as local. */
                consumer->type = CONSUMER_DST_LOCAL;
                break;
This page took 0.034574 seconds and 4 git commands to generate.