zebra: make sure string is null terminated

Do extra inotify data structure checks and copy the file name to a stack
buffer making sure it is null byte terminated.

Found by Coverity Scan (CID 1465494)

Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
This commit is contained in:
Rafael Zalamena 2023-01-17 16:32:08 -03:00
parent 7475ed3330
commit da5bd13c08

View File

@ -288,6 +288,7 @@ static void zebra_ns_notify_read(struct thread *t)
struct inotify_event *event;
char buf[BUFSIZ];
ssize_t len;
char event_name[NAME_MAX + 1];
thread_add_read(zrouter.master, zebra_ns_notify_read, NULL, fd_monitor,
&zebra_netns_notify_current);
@ -320,11 +321,41 @@ static void zebra_ns_notify_read(struct thread *t)
break;
}
/*
* Coverity Scan extra steps to satisfy `STRING_NULL` warning:
* - Make sure event name is present by checking `len != 0`
* - Event name length must be at most `NAME_MAX + 1`
* (null byte inclusive)
* - Copy event name to a stack buffer to make sure it
* includes the null byte. `event->name` includes at least
* one null byte and `event->len` accounts the null bytes,
* so the operation after `memcpy` will look like a
* truncation to satisfy Coverity Scan null byte ending.
*
* Example:
* if `event->name` is `abc\0` and `event->len` is 4,
* `memcpy` will copy the 4 bytes and then we set the
* null byte again at the position 4.
*
* For more information please read inotify(7) man page.
*/
if (event->len == 0)
continue;
if (event->len > sizeof(event_name)) {
flog_err(EC_ZEBRA_NS_NOTIFY_READ,
"NS notify error: unexpected big event name");
break;
}
memcpy(event_name, event->name, event->len);
event_name[event->len - 1] = 0;
if (event->mask & IN_DELETE) {
zebra_ns_delete(event->name);
zebra_ns_delete(event_name);
continue;
}
netnspath = ns_netns_pathname(NULL, event->name);
netnspath = ns_netns_pathname(NULL, event_name);
if (!netnspath)
continue;
netnspath = XSTRDUP(MTYPE_NETNS_MISC, netnspath);