mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-06 14:29:47 +00:00
zebra: make sure string is null terminated
Do extra inotify data structure checks and copy the file name to a stack buffer making sure it is null byte terminated. Found by Coverity Scan (CID 1465494) Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
This commit is contained in:
parent
7475ed3330
commit
da5bd13c08
@ -288,6 +288,7 @@ static void zebra_ns_notify_read(struct thread *t)
|
||||
struct inotify_event *event;
|
||||
char buf[BUFSIZ];
|
||||
ssize_t len;
|
||||
char event_name[NAME_MAX + 1];
|
||||
|
||||
thread_add_read(zrouter.master, zebra_ns_notify_read, NULL, fd_monitor,
|
||||
&zebra_netns_notify_current);
|
||||
@ -320,11 +321,41 @@ static void zebra_ns_notify_read(struct thread *t)
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Coverity Scan extra steps to satisfy `STRING_NULL` warning:
|
||||
* - Make sure event name is present by checking `len != 0`
|
||||
* - Event name length must be at most `NAME_MAX + 1`
|
||||
* (null byte inclusive)
|
||||
* - Copy event name to a stack buffer to make sure it
|
||||
* includes the null byte. `event->name` includes at least
|
||||
* one null byte and `event->len` accounts the null bytes,
|
||||
* so the operation after `memcpy` will look like a
|
||||
* truncation to satisfy Coverity Scan null byte ending.
|
||||
*
|
||||
* Example:
|
||||
* if `event->name` is `abc\0` and `event->len` is 4,
|
||||
* `memcpy` will copy the 4 bytes and then we set the
|
||||
* null byte again at the position 4.
|
||||
*
|
||||
* For more information please read inotify(7) man page.
|
||||
*/
|
||||
if (event->len == 0)
|
||||
continue;
|
||||
|
||||
if (event->len > sizeof(event_name)) {
|
||||
flog_err(EC_ZEBRA_NS_NOTIFY_READ,
|
||||
"NS notify error: unexpected big event name");
|
||||
break;
|
||||
}
|
||||
|
||||
memcpy(event_name, event->name, event->len);
|
||||
event_name[event->len - 1] = 0;
|
||||
|
||||
if (event->mask & IN_DELETE) {
|
||||
zebra_ns_delete(event->name);
|
||||
zebra_ns_delete(event_name);
|
||||
continue;
|
||||
}
|
||||
netnspath = ns_netns_pathname(NULL, event->name);
|
||||
netnspath = ns_netns_pathname(NULL, event_name);
|
||||
if (!netnspath)
|
||||
continue;
|
||||
netnspath = XSTRDUP(MTYPE_NETNS_MISC, netnspath);
|
||||
|
Loading…
Reference in New Issue
Block a user