From 5b63c5dbffe3d2e89bf31b81dae5953d9a8a7b7b Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 14 May 2018 16:46:07 -0400 Subject: [PATCH] Use memcpy rather than strncpy and leave note in code Coverity found that the usage of strncpy may leave an unterminated string. In this case it is ok, if the string is unterminated since it would only be the part of a response and the client would have to collect all the parts as indicated by the total length of the string. So we use memcpy instead and leave a note in the code. So far the strings would not nearly be 3k to get close to the maximum. Signed-off-by: Stefan Berger --- src/swtpm/ctrlchannel.c | 3 ++- src/swtpm/cuse_tpm.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/swtpm/ctrlchannel.c b/src/swtpm/ctrlchannel.c index 23e8992..d3454a5 100644 --- a/src/swtpm/ctrlchannel.c +++ b/src/swtpm/ctrlchannel.c @@ -822,7 +822,8 @@ int ctrlchannel_process_fd(int fd, pgi->u.resp.tpm_result = htobe32(0); pgi->u.resp.totlength = htobe32(strlen(info_data) + 1); pgi->u.resp.length = htobe32(length); - strncpy(pgi->u.resp.buffer, &info_data[offset], length); + /* client has to collect whole string in case buffer is too small */ + memcpy(pgi->u.resp.buffer, &info_data[offset], length); free(info_data); out_len = offsetof(ptm_getinfo, u.resp.buffer) + length; diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c index 3bd168d..8dce627 100644 --- a/src/swtpm/cuse_tpm.c +++ b/src/swtpm/cuse_tpm.c @@ -1226,7 +1226,8 @@ static void ptm_ioctl(fuse_req_t req, int cmd, void *arg, out_pgi.u.resp.tpm_result = 0; out_pgi.u.resp.totlength = strlen(info_data) + 1; out_pgi.u.resp.length = length; - strncpy(out_pgi.u.resp.buffer, &info_data[offset], length); + /* client has to collect whole string in case buffer is too small */ + memcpy(out_pgi.u.resp.buffer, &info_data[offset], length); free(info_data); fuse_reply_ioctl(req, 0, &out_pgi, sizeof(out_pgi));