diff options
author | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2011-08-18 09:05:25 -0500 |
---|---|---|
committer | Clark Williams <williams@redhat.com> | 2011-08-18 09:05:25 -0500 |
commit | 39451cc083b27f706659590ccb316358846c2104 (patch) | |
tree | 6d4537f7fc7e31d59b037025077b5979bb5fce61 | |
parent | 21a11149ac03ab0bdc6174904e869c2e5524376c (diff) | |
download | rt-tests-39451cc083b27f706659590ccb316358846c2104.tar.gz |
fix possible buffer overflow in string handling
strncat writes up to n+1 chars when n is passed as 3rd argument. So when
doing
strncpy(filename, fileprefix, sizeof(filename));
strncat(filename, name, sizeof(filename) - strlen(fileprefix));
with strlen(fileprefix) + strlen(name) >= sizeof(filename) a buffer
overflow occurs. Addionally there is no check if filename is big enough.
So convert to memcpy and handle filename not being big enough.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Clark Williams <williams@redhat.com>
-rw-r--r-- | src/backfire/sendme.c | 12 | ||||
-rw-r--r-- | src/cyclictest/cyclictest.c | 11 |
2 files changed, 19 insertions, 4 deletions
diff --git a/src/backfire/sendme.c b/src/backfire/sendme.c index 27ea077..8c169dd 100644 --- a/src/backfire/sendme.c +++ b/src/backfire/sendme.c @@ -28,6 +28,7 @@ #include <sched.h> #include <string.h> #include <time.h> +#include <errno.h> #include "rt-utils.h" #include "rt-get_cpu.h" @@ -63,9 +64,16 @@ static int kernvar(int mode, const char *name, char *value, size_t sizeofvalue) char *fileprefix = get_debugfileprefix(); int retval = 1; int path; + size_t len_prefix = strlen(fileprefix), len_name = strlen(name); + + if (len_prefix + len_name + 1 > sizeof(filename)) { + errno = ENOMEM; + return 1; + } + + memcpy(filename, fileprefix, len_prefix); + memcpy(filename + len_prefix, name, len_name + 1); - strncpy(filename, fileprefix, sizeof(filename)); - strncat(filename, name, sizeof(filename) - strlen(fileprefix)); path = open(filename, mode); if (path >= 0) { if (mode == O_RDONLY) { diff --git a/src/cyclictest/cyclictest.c b/src/cyclictest/cyclictest.c index 3861f23..6be5521 100644 --- a/src/cyclictest/cyclictest.c +++ b/src/cyclictest/cyclictest.c @@ -210,9 +210,16 @@ static int kernvar(int mode, const char *name, char *value, size_t sizeofvalue) char filename[128]; int retval = 1; int path; + size_t len_prefix = strlen(fileprefix), len_name = strlen(name); + + if (len_prefix + len_name + 1 > sizeof(filename)) { + errno = ENOMEM; + return 1; + } + + memcpy(filename, fileprefix, len_prefix); + memcpy(filename + len_prefix, name, len_name + 1); - strncpy(filename, fileprefix, sizeof(filename)); - strncat(filename, name, sizeof(filename) - strlen(fileprefix)); path = open(filename, mode); if (path >= 0) { if (mode == O_RDONLY) { |