[lttng-dev] [PATCH lttng-tools 19/24] Fix: illegal memory access in viewer_list_sessions

Mathieu Desnoyers mathieu.desnoyers at efficios.com
Tue May 17 01:42:58 UTC 2016


Found by Coverity:

CID 1243025 (#1 of 2): Buffer not null terminated
(BUFFER_SIZE_WARNING)17. buffer_size_warning: Calling strncpy with a
maximum size argument of 64 bytes on destination array
send_session->hostname of size 64 bytes might leave the destination
string unterminated.

CID 1243025 (#2 of 2): Buffer not null terminated
(BUFFER_SIZE_WARNING)17. buffer_size_warning: Calling strncpy with a
maximum size argument of 255 bytes on destination array
send_session->session_name of size 255 bytes might leave the destination
string unterminated.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
---
 src/bin/lttng-relayd/live.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/bin/lttng-relayd/live.c b/src/bin/lttng-relayd/live.c
index a9f4f64..f87e4ba 100644
--- a/src/bin/lttng-relayd/live.c
+++ b/src/bin/lttng-relayd/live.c
@@ -831,10 +831,19 @@ int viewer_list_sessions(struct relay_connection *conn)
 			buf_count = new_buf_count;
 		}
 		send_session = &send_session_buf[count];
-		strncpy(send_session->session_name, session->session_name,
-				sizeof(send_session->session_name));
-		strncpy(send_session->hostname, session->hostname,
-				sizeof(send_session->hostname));
+		if (lttng_strncpy(send_session->session_name,
+				session->session_name,
+				sizeof(send_session->session_name))) {
+			ret = -1;
+			rcu_read_unlock();
+			goto end_free;
+		}
+		if (lttng_strncpy(send_session->hostname, session->hostname,
+				sizeof(send_session->hostname))) {
+			ret = -1;
+			rcu_read_unlock();
+			goto end_free;
+		}
 		send_session->id = htobe64(session->id);
 		send_session->live_timer = htobe32(session->live_timer);
 		if (session->viewer_attached) {
-- 
2.1.4



More information about the lttng-dev mailing list