[prev in list] [next in list] [prev in thread] [next in thread]
List: xen-cvs
Subject: [xen master] vchan-socket-proxy: Ensure UNIX path NUL terminated
From: patchbot () xen ! org
Date: 2020-06-29 6:33:32
Message-ID: E1jpnMC-00021S-D8 () xenbits ! xenproject ! org
[Download RAW message or body]
commit 2c8ac47d4e780389842f812bb6b2f95fa673add5
Author: Jason Andryuk <jandryuk@gmail.com>
AuthorDate: Wed Jun 10 23:29:27 2020 -0400
Commit: Wei Liu <wl@xen.org>
CommitDate: Fri Jun 26 11:58:30 2020 +0000
vchan-socket-proxy: Ensure UNIX path NUL terminated
Check the socket path length to ensure sun_path is NUL terminated.
This was spotted by Citrix's Coverity.
Also use strcpy to avoid a warning "'__builtin_strncpy' specified bound
108 equals destination size [-Werror=stringop-truncation]" flagged by
gcc 10.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Acked-by: Wei Liu <wl@xen.org>
Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Release-acked-by: Paul Durrant <paul@xen.org>
---
tools/libvchan/vchan-socket-proxy.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/tools/libvchan/vchan-socket-proxy.c b/tools/libvchan/vchan-socket-proxy.c
index 13700c5d67..6ae1d84143 100644
--- a/tools/libvchan/vchan-socket-proxy.c
+++ b/tools/libvchan/vchan-socket-proxy.c
@@ -148,12 +148,18 @@ static int connect_socket(const char *path_or_fd) {
return fd;
}
+ if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+ fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+ path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+ return -1;
+ }
+
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd == -1)
return -1;
addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, path_or_fd, sizeof(addr.sun_path));
+ strcpy(addr.sun_path, path_or_fd);
if (connect(fd, (const struct sockaddr *)&addr, sizeof(addr)) == -1) {
close(fd);
return -1;
@@ -174,13 +180,19 @@ static int listen_socket(const char *path_or_fd) {
return fd;
}
+ if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+ fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+ path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+ return -1;
+ }
+
/* if not a number, assume a socket path */
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd == -1)
return -1;
addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, path_or_fd, sizeof(addr.sun_path));
+ strcpy(addr.sun_path, path_or_fd);
if (bind(fd, (const struct sockaddr *)&addr, sizeof(addr)) == -1) {
close(fd);
return -1;
--
generated by git-patchbot for /home/xen/git/xen.git#master
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic