[lttng-dev] [PATCH lttng-tools 18/24] Fix: illegal memory access in relayd_add_stream

Tue May 17 01:42:57 UTC 2016

Found by Coverity:

CID 1243017 (#1 of 4): Buffer not null terminated
(BUFFER_SIZE_WARNING)14. buffer_size_warning: Calling strncpy with a
maximum size argument of 264 bytes on destination array msg.channel_name
of size 264 bytes might leave the destination string unterminated.

ID 1243017 (#2 of 4): Buffer not null terminated
(BUFFER_SIZE_WARNING)14. buffer_size_warning: Calling strncpy with a
maximum size argument of 264 bytes on destination array
msg_2_2.channel_name of size 264 bytes might leave the destination
string unterminated.

CID 1243017 (#3 of 4): Buffer not null terminated
(BUFFER_SIZE_WARNING)15. buffer_size_warning: Calling strncpy with a
maximum size argument of 4096 bytes on destination array msg.pathname of
size 4096 bytes might leave the destination string unterminated.

CID 1243017 (#4 of 4): Buffer not null terminated
(BUFFER_SIZE_WARNING)15. buffer_size_warning: Calling strncpy with a
maximum size argument of 4096 bytes on destination array
msg_2_2.pathname of size 4096 bytes might leave the destination string
unterminated.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
---
 src/common/relayd/relayd.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/common/relayd/relayd.c b/src/common/relayd/relayd.c
index 9e95255..7f0ea74 100644
--- a/src/common/relayd/relayd.c
+++ b/src/common/relayd/relayd.c
@@ -254,16 +254,16 @@ int relayd_add_stream(struct lttcomm_relayd_sock *rsock, const char *channel_nam
 	/* Compat with relayd 2.1 */
 	if (rsock->minor == 1) {
 		memset(&msg, 0, sizeof(msg));
-		if (strlen(channel_name) >= sizeof(msg.channel_name)) {
+		if (lttng_strncpy(msg.channel_name, channel_name,
+				sizeof(msg.channel_name))) {
 			ret = -1;
 			goto error;
 		}
-		strncpy(msg.channel_name, channel_name, sizeof(msg.channel_name));
-		if (strlen(pathname) >= sizeof(msg.pathname)) {
+		if (lttng_strncpy(msg.pathname, pathname,
+				sizeof(msg.pathname))) {
 			ret = -1;
 			goto error;
 		}
-		strncpy(msg.pathname, pathname, sizeof(msg.pathname));
 
 		/* Send command */
 		ret = send_command(rsock, RELAYD_ADD_STREAM, (void *) &msg, sizeof(msg), 0);
@@ -273,16 +273,16 @@ int relayd_add_stream(struct lttcomm_relayd_sock *rsock, const char *channel_nam
 	} else {
 		memset(&msg_2_2, 0, sizeof(msg_2_2));
 		/* Compat with relayd 2.2+ */
-		if (strlen(channel_name) >= sizeof(msg_2_2.channel_name)) {
+		if (lttng_strncpy(msg_2_2.channel_name, channel_name,
+				sizeof(msg_2_2.channel_name))) {
 			ret = -1;
 			goto error;
 		}
-		strncpy(msg_2_2.channel_name, channel_name, sizeof(msg_2_2.channel_name));
-		if (strlen(pathname) >= sizeof(msg_2_2.pathname)) {
+		if (lttng_strncpy(msg_2_2.pathname, pathname,
+				sizeof(msg_2_2.pathname))) {
 			ret = -1;
 			goto error;
 		}
-		strncpy(msg_2_2.pathname, pathname, sizeof(msg_2_2.pathname));
 		msg_2_2.tracefile_size = htobe64(tracefile_size);
 		msg_2_2.tracefile_count = htobe64(tracefile_count);
 
-- 
2.1.4

