'[xen master] vchan-socket-proxy: Ensure UNIX path NUL terminated'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xen-cvs
Subject:    [xen master] vchan-socket-proxy: Ensure UNIX path NUL terminated
From:       patchbot () xen ! org
Date:       2020-06-29 6:33:32
Message-ID: E1jpnMC-00021S-D8 () xenbits ! xenproject ! org
[Download RAW message or body]

commit 2c8ac47d4e780389842f812bb6b2f95fa673add5
Author:     Jason Andryuk <jandryuk@gmail.com>
AuthorDate: Wed Jun 10 23:29:27 2020 -0400
Commit:     Wei Liu <wl@xen.org>
CommitDate: Fri Jun 26 11:58:30 2020 +0000

    vchan-socket-proxy: Ensure UNIX path NUL terminated
    
    Check the socket path length to ensure sun_path is NUL terminated.
    
    This was spotted by Citrix's Coverity.
    
    Also use strcpy to avoid a warning "'__builtin_strncpy' specified bound
    108 equals destination size [-Werror=stringop-truncation]" flagged by
    gcc 10.
    
    Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
    Acked-by: Wei Liu <wl@xen.org>
    Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Release-acked-by: Paul Durrant <paul@xen.org>
---
 tools/libvchan/vchan-socket-proxy.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/tools/libvchan/vchan-socket-proxy.c b/tools/libvchan/vchan-socket-proxy.c
index 13700c5d67..6ae1d84143 100644
--- a/tools/libvchan/vchan-socket-proxy.c
+++ b/tools/libvchan/vchan-socket-proxy.c
@@ -148,12 +148,18 @@ static int connect_socket(const char *path_or_fd) {
         return fd;
     }
 
+    if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+        fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+                path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+        return -1;
+    }
+
     fd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (fd == -1)
         return -1;
 
     addr.sun_family = AF_UNIX;
-    strncpy(addr.sun_path, path_or_fd, sizeof(addr.sun_path));
+    strcpy(addr.sun_path, path_or_fd);
     if (connect(fd, (const struct sockaddr *)&addr, sizeof(addr)) == -1) {
         close(fd);
         return -1;
@@ -174,13 +180,19 @@ static int listen_socket(const char *path_or_fd) {
         return fd;
     }
 
+    if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+        fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+                path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+        return -1;
+    }
+
     /* if not a number, assume a socket path */
     fd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (fd == -1)
         return -1;
 
     addr.sun_family = AF_UNIX;
-    strncpy(addr.sun_path, path_or_fd, sizeof(addr.sun_path));
+    strcpy(addr.sun_path, path_or_fd);
     if (bind(fd, (const struct sockaddr *)&addr, sizeof(addr)) == -1) {
         close(fd);
         return -1;
--
generated by git-patchbot for /home/xen/git/xen.git#master

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic