libmemif: fix insecure uses of strncpy
A calling patterm of "strncpy(dst, src, strlen(src))" invites a lot of troubles.
However, even using the target size may result in a problem if the string is
longer, since then the termination is not done.
Use strlcpy(dst, src, sizeof(dst)), which will always null-terminate
the string.
Change-Id: I8ddaf3dc8380a78af08914e81849279dae7ab24a
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
diff --git a/extras/libmemif/src/socket.c b/extras/libmemif/src/socket.c
index 2454616..b801cac 100644
--- a/extras/libmemif/src/socket.c
+++ b/extras/libmemif/src/socket.c
@@ -111,8 +111,7 @@
h->max_region = MEMIF_MAX_REGION;
h->max_log2_ring_size = MEMIF_MAX_LOG2_RING_SIZE;
- strncpy ((char *) h->name, (char *) lm->app_name,
- strlen ((char *) lm->app_name));
+ strlcpy ((char *) h->name, (char *) lm->app_name, sizeof (h->name));
/* msg hello is not enqueued but sent directly,
because it is the first msg to be sent */
@@ -139,8 +138,7 @@
i->id = c->args.interface_id;
i->mode = c->args.mode;
- strncpy ((char *) i->name, (char *) lm->app_name,
- strlen ((char *) lm->app_name));
+ strlcpy ((char *) i->name, (char *) lm->app_name, sizeof (i->name));
if (strlen ((char *) c->args.secret) > 0)
strncpy ((char *) i->secret, (char *) c->args.secret, sizeof (i->secret));
@@ -260,8 +258,8 @@
e->msg.type = MEMIF_MSG_TYPE_CONNECT;
e->fd = -1;
- strncpy ((char *) cm->if_name, (char *) c->args.interface_name,
- strlen ((char *) c->args.interface_name));
+ strlcpy ((char *) cm->if_name, (char *) c->args.interface_name,
+ sizeof (cm->if_name));
e->next = NULL;
if (c->msg_queue == NULL)
@@ -295,8 +293,8 @@
e->msg.type = MEMIF_MSG_TYPE_CONNECTED;
e->fd = -1;
- strncpy ((char *) cm->if_name, (char *) c->args.interface_name,
- strlen ((char *) c->args.interface_name));
+ strlcpy ((char *) cm->if_name, (char *) c->args.interface_name,
+ sizeof (cm->if_name));
e->next = NULL;
if (c->msg_queue == NULL)
@@ -327,12 +325,12 @@
msg.type = MEMIF_MSG_TYPE_DISCONNECT;
d->code = err_code;
uint16_t l = strlen ((char *) err_string);
- if (l > 96)
+ if (l > sizeof (d->string) - 1)
{
- DBG ("Disconnect string too long. Sending first 96 characters.");
- l = 96;
+ DBG ("Disconnect string too long. Sending the first %d characters.",
+ sizeof (d->string) - 1);
}
- strncpy ((char *) d->string, (char *) err_string, l);
+ strlcpy ((char *) d->string, (char *) err_string, sizeof (d->string));
return memif_msg_send (fd, &msg, -1);
}
@@ -356,8 +354,7 @@
c->run_args.log2_ring_size = memif_min (h->max_log2_ring_size,
c->args.log2_ring_size);
c->run_args.buffer_size = c->args.buffer_size;
- strncpy ((char *) c->remote_name, (char *) h->name,
- strlen ((char *) h->name));
+ strlcpy ((char *) c->remote_name, (char *) h->name, sizeof (c->remote_name));
return MEMIF_ERR_SUCCESS; /* 0 */
}
@@ -420,8 +417,7 @@
goto error;
}
- strncpy ((char *) c->remote_name, (char *) i->name,
- strlen ((char *) i->name));
+ strlcpy ((char *) c->remote_name, (char *) i->name, sizeof (c->remote_name));
if (strlen ((char *) c->args.secret) > 0)
{
@@ -588,8 +584,8 @@
if (err != MEMIF_ERR_SUCCESS)
return err;
- strncpy ((char *) c->remote_if_name, (char *) cm->if_name,
- strlen ((char *) cm->if_name));
+ strlcpy ((char *) c->remote_if_name, (char *) cm->if_name,
+ sizeof (c->remote_if_name));
int i;
if (c->on_interrupt != NULL)
@@ -625,7 +621,7 @@
return err;
strncpy ((char *) c->remote_if_name, (char *) cm->if_name,
- strlen ((char *) cm->if_name));
+ sizeof (c->remote_if_name));
int i;
if (c->on_interrupt != NULL)
@@ -650,7 +646,7 @@
memset (c->remote_disconnect_string, 0,
sizeof (c->remote_disconnect_string));
strncpy ((char *) c->remote_disconnect_string, (char *) d->string,
- strlen ((char *) d->string));
+ sizeof (c->remote_disconnect_string));
/* on returning error, handle function will call memif_disconnect () */
DBG ("disconnect received: %s, mode: %d",