diff options
| author | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2011-01-20 17:00:20 +0100 |
|---|---|---|
| committer | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2011-01-20 17:00:20 +0100 |
| commit | 0853ea109493f19a92b6745e5c4fad697ebf2e7e (patch) | |
| tree | 094eec7576e4bb2a2c5e2f21ec37b7efc237e60b | |
| parent | 886d26833d637ab778023626a158061e4eb9c5d0 (diff) | |
| download | rt-tests-upstream.tar.gz rt-tests-upstream.tar.xz | |
kernvar(): fix possible buffer overflow in string handlingupstream
strncat writes up to n+1 chars when n is passed as 3rd argument. So when
doing
strncpy(filename, fileprefix, sizeof(filename));
strncat(filename, name, sizeof(filename) - strlen(fileprefix));
with strlen(fileprefix) + strlen(name) >= sizeof(filename) a buffer
overflow occurs. Addionally there is no check if filename is big enough.
So convert to memcpy and handle filename not being big enough.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
| -rw-r--r-- | src/backfire/sendme.c | 12 | ||||
| -rw-r--r-- | src/cyclictest/cyclictest.c | 11 |
2 files changed, 19 insertions, 4 deletions
diff --git a/src/backfire/sendme.c b/src/backfire/sendme.c index 27ea077..8c169dd 100644 --- a/src/backfire/sendme.c +++ b/src/backfire/sendme.c @@ -28,6 +28,7 @@ #include <sched.h> #include <string.h> #include <time.h> +#include <errno.h> #include "rt-utils.h" #include "rt-get_cpu.h" @@ -63,9 +64,16 @@ static int kernvar(int mode, const char *name, char *value, size_t sizeofvalue) char *fileprefix = get_debugfileprefix(); int retval = 1; int path; + size_t len_prefix = strlen(fileprefix), len_name = strlen(name); + + if (len_prefix + len_name + 1 > sizeof(filename)) { + errno = ENOMEM; + return 1; + } + + memcpy(filename, fileprefix, len_prefix); + memcpy(filename + len_prefix, name, len_name + 1); - strncpy(filename, fileprefix, sizeof(filename)); - strncat(filename, name, sizeof(filename) - strlen(fileprefix)); path = open(filename, mode); if (path >= 0) { if (mode == O_RDONLY) { diff --git a/src/cyclictest/cyclictest.c b/src/cyclictest/cyclictest.c index 0847aed..87eec88 100644 --- a/src/cyclictest/cyclictest.c +++ b/src/cyclictest/cyclictest.c @@ -199,9 +199,16 @@ static int kernvar(int mode, const char *name, char *value, size_t sizeofvalue) char filename[128]; int retval = 1; int path; + size_t len_prefix = strlen(fileprefix), len_name = strlen(name); + + if (len_prefix + len_name + 1 > sizeof(filename)) { + errno = ENOMEM; + return 1; + } + + memcpy(filename, fileprefix, len_prefix); + memcpy(filename + len_prefix, name, len_name + 1); - strncpy(filename, fileprefix, sizeof(filename)); - strncat(filename, name, sizeof(filename) - strlen(fileprefix)); path = open(filename, mode); if (path >= 0) { if (mode == O_RDONLY) { |