From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue, 17 May 2016 01:42:50 +0000 (-0400)
Subject: Fix: illegal memory access in cmd_snapshot_record
X-Git-Tag: v2.6.3~48
X-Git-Url: https://git.liburcu.org/?a=commitdiff_plain;ds=sidebyside;h=0374fda028457b7df245beccacbc91da00e58c4c;p=lttng-tools.git

Fix: illegal memory access in cmd_snapshot_record

Found by Coverity:
CID 1243027 (#1 of 1): Buffer not null terminated
(BUFFER_SIZE_WARNING)20. buffer_size_warning: Calling strncpy with a
maximum size argument of 255 bytes on destination array tmp_output.name
of size 255 bytes might leave the destination string unterminated.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
---

diff --git a/src/bin/lttng-sessiond/cmd.c b/src/bin/lttng-sessiond/cmd.c
index 689912fd8..e8a8d2fc7 100644
--- a/src/bin/lttng-sessiond/cmd.c
+++ b/src/bin/lttng-sessiond/cmd.c
@@ -3275,8 +3275,12 @@ int cmd_snapshot_record(struct ltt_session *session,
 
 			/* Use temporary name. */
 			if (*output->name != '\0') {
-				strncpy(tmp_output.name, output->name,
-						sizeof(tmp_output.name));
+				if (lttng_strncpy(tmp_output.name, output->name,
+						sizeof(tmp_output.name))) {
+					ret = LTTNG_ERR_INVALID;
+					rcu_read_unlock();
+					goto error;
+				}
 			}
 
 			tmp_output.nb_snapshot = session->snapshot.nb_snapshot;