From 5da6aa8c717f11f99a1e169cb5df47db7656f662 Mon Sep 17 00:00:00 2001 From: Dwight Engen Date: Tue, 29 Oct 2013 09:24:29 -0400 Subject: [PATCH] coverity: ifr_name buffer not NULL terminated The kernel (net/core/dev_ioctl.c:dev_ioctl()) is going to NULL terminate this name after the copy-in of the ifr, so even though this is a fixed sized array the last byte isn't usable as part of the name. All the ioctls we're using go through this code path. Use the ifr name in the DEBUG message in case it was possibly truncated. Signed-off-by: Dwight Engen Signed-off-by: Serge Hallyn --- src/lxc/conf.c | 3 ++- src/lxc/lxc_user_nic.c | 3 ++- src/lxc/network.c | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index f579c17db..50dc4262e 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2059,6 +2059,7 @@ static int setup_hw_addr(char *hwaddr, const char *ifname) } memcpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_name[IFNAMSIZ-1] = '\0'; memcpy((char *) &ifr.ifr_hwaddr, (char *) &sockaddr, sizeof(sockaddr)); process_lock(); @@ -2076,7 +2077,7 @@ static int setup_hw_addr(char *hwaddr, const char *ifname) if (ret) ERROR("ioctl failure : %s", strerror(errno)); - DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifname); + DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifr.ifr_name); return ret; } diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index 6c3a09e98..bc1c26881 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -473,7 +473,8 @@ int lxc_bridge_attach(const char *bridge, const char *ifname) if (fd < 0) return -errno; - strncpy(ifr.ifr_name, bridge, IFNAMSIZ); + strncpy(ifr.ifr_name, bridge, IFNAMSIZ-1); + ifr.ifr_name[IFNAMSIZ-1] = '\0'; ifr.ifr_ifindex = index; err = ioctl(fd, SIOCBRADDIF, &ifr); close(fd); diff --git a/src/lxc/network.c b/src/lxc/network.c index 09ca8f79c..c30287e9b 100644 --- a/src/lxc/network.c +++ b/src/lxc/network.c @@ -1009,7 +1009,8 @@ int lxc_bridge_attach(const char *bridge, const char *ifname) if (fd < 0) return -errno; - strncpy(ifr.ifr_name, bridge, IFNAMSIZ); + strncpy(ifr.ifr_name, bridge, IFNAMSIZ-1); + ifr.ifr_name[IFNAMSIZ-1] = '\0'; ifr.ifr_ifindex = index; err = ioctl(fd, SIOCBRADDIF, &ifr); process_lock();