From c6906a8f61306f3d42aecf1653840c2bf57f904e Mon Sep 17 00:00:00 2001 From: Mathieu Desnoyers Date: Mon, 16 May 2016 21:42:47 -0400 Subject: [PATCH] Fix: illegal memory access in cmd_snapshot_list_outputs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Found by Coverity: CID 1243031 (#1 of 2): Buffer not null terminated (BUFFER_SIZE_WARNING)22. buffer_size_warning: Calling strncpy with a maximum size argument of 4096 bytes on destination array (list + idx).ctrl_url of size 4096 bytes might leave the destination string unterminated. CID 1243031 (#2 of 2): Buffer not null terminated (BUFFER_SIZE_WARNING)26. buffer_size_warning: Calling strncpy with a maximum size argument of 255 bytes on destination array (list + idx).name of size 255 bytes might leave the destination string unterminated. Signed-off-by: Mathieu Desnoyers Signed-off-by: Jérémie Galarneau --- src/bin/lttng-sessiond/cmd.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/bin/lttng-sessiond/cmd.c b/src/bin/lttng-sessiond/cmd.c index 1327e42e4..201cbd183 100644 --- a/src/bin/lttng-sessiond/cmd.c +++ b/src/bin/lttng-sessiond/cmd.c @@ -3356,10 +3356,18 @@ ssize_t cmd_snapshot_list_outputs(struct ltt_session *session, assert(output->consumer); list[idx].id = output->id; list[idx].max_size = output->max_size; - strncpy(list[idx].name, output->name, sizeof(list[idx].name)); + if (lttng_strncpy(list[idx].name, output->name, + sizeof(list[idx].name))) { + ret = -LTTNG_ERR_INVALID; + goto error; + } if (output->consumer->type == CONSUMER_DST_LOCAL) { - strncpy(list[idx].ctrl_url, output->consumer->dst.trace_path, - sizeof(list[idx].ctrl_url)); + if (lttng_strncpy(list[idx].ctrl_url, + output->consumer->dst.trace_path, + sizeof(list[idx].ctrl_url))) { + ret = -LTTNG_ERR_INVALID; + goto error; + } } else { /* Control URI. */ ret = uri_to_str_url(&output->consumer->dst.net.control, -- 2.34.1