pbrd: remove unsafe string copy

A user could overflow the pbr_ifp->mapname buffer by entering a pbr-map
name longer than 100 characters.

Coverity #1467821
Coverity #1467821

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
This commit is contained in:
Quentin Young 2018-04-17 16:55:59 -04:00
parent 6898d846c5
commit 5f504f14a9

View File

@ -322,27 +322,20 @@ DEFPY (pbr_policy,
if (no) {
if (strcmp(pbr_ifp->mapname, mapname) == 0) {
strcpy(pbr_ifp->mapname, "");
pbr_ifp->mapname[0] = '\0';
if (pbrm)
pbr_map_interface_delete(pbrm, ifp);
}
} else {
if (strcmp(pbr_ifp->mapname, "") == 0) {
strcpy(pbr_ifp->mapname, mapname);
if (pbrm)
pbr_map_add_interface(pbrm, ifp);
} else {
if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) {
old_pbrm = pbrm_find(pbr_ifp->mapname);
if (old_pbrm)
pbr_map_interface_delete(old_pbrm, ifp);
strcpy(pbr_ifp->mapname, mapname);
if (pbrm)
pbr_map_add_interface(pbrm, ifp);
}
if (strcmp(pbr_ifp->mapname, "") != 0) {
old_pbrm = pbrm_find(pbr_ifp->mapname);
if (old_pbrm)
pbr_map_interface_delete(old_pbrm, ifp);
}
snprintf(pbr_ifp->mapname, sizeof(pbr_ifp->mapname),
"%s", mapname);
if (pbrm)
pbr_map_add_interface(pbrm, ifp);
}
return CMD_SUCCESS;