[lttng-dev] [PATCH lttng-tools 16/24] Fix: illegal memory access in session_create

Tue May 17 01:42:55 UTC 2016

Found by Coverity:

CID 1323138 (#1 of 2): Buffer not null terminated
(BUFFER_SIZE_WARNING)3. buffer_size_warning: Calling strncpy with a
maximum size argument of 64 bytes on destination array session->hostname
of size 64 bytes might leave the destination string unterminated.

CID 1323138 (#2 of 2): Buffer not null terminated
(BUFFER_SIZE_WARNING)3. buffer_size_warning: Calling strncpy with a
maximum size argument of 255 bytes on destination array
session->session_name of size 255 bytes might leave the destination
string unterminated.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
---
 src/bin/lttng-relayd/session.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/bin/lttng-relayd/session.c b/src/bin/lttng-relayd/session.c
index d1c2098..9702bd2 100644
--- a/src/bin/lttng-relayd/session.c
+++ b/src/bin/lttng-relayd/session.c
@@ -46,11 +46,16 @@ struct relay_session *session_create(const char *session_name,
 		PERROR("relay session zmalloc");
 		goto error;
 	}
-
+	if (lttng_strncpy(session->session_name, session_name,
+			sizeof(session->session_name))) {
+		goto error;
+	}
+	if (lttng_strncpy(session->hostname, hostname,
+			sizeof(session->hostname))) {
+		goto error;
+	}
 	session->ctf_traces_ht = lttng_ht_new(0, LTTNG_HT_TYPE_STRING);
 	if (!session->ctf_traces_ht) {
-		free(session);
-		session = NULL;
 		goto error;
 	}
 
@@ -67,17 +72,15 @@ struct relay_session *session_create(const char *session_name,
 	pthread_mutex_init(&session->reflock, NULL);
 	pthread_mutex_init(&session->recv_list_lock, NULL);
 
-	strncpy(session->session_name, session_name,
-			sizeof(session->session_name));
-	strncpy(session->hostname, hostname,
-			sizeof(session->hostname));
 	session->live_timer = live_timer;
 	session->snapshot = snapshot;
 
 	lttng_ht_add_unique_u64(sessions_ht, &session->session_n);
+	return session;
 
 error:
-	return session;
+	free(session);
+	return NULL;
 }
 
 /* Should be called with RCU read-side lock held. */
-- 
2.1.4

