diff options
| author | Rafael Zalamena <rzalamena@opensourcerouting.org> | 2023-01-17 20:32:08 +0100 |
|---|---|---|
| committer | Rafael Zalamena <rzalamena@opensourcerouting.org> | 2023-01-17 21:08:23 +0100 |
| commit | da5bd13c08c32495728abcbf6be33e1356ce3116 (patch) | |
| tree | 5908bcfac3f9d8992263984465fe429544ad4200 /zebra | |
| parent | Merge pull request #12449 from chiragshah6/mdev1 (diff) | |
| download | frr-da5bd13c08c32495728abcbf6be33e1356ce3116.tar.xz frr-da5bd13c08c32495728abcbf6be33e1356ce3116.zip | |
zebra: make sure string is null terminated
Do extra inotify data structure checks and copy the file name to a stack
buffer making sure it is null byte terminated.
Found by Coverity Scan (CID 1465494)
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Diffstat (limited to 'zebra')
| -rw-r--r-- | zebra/zebra_netns_notify.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/zebra/zebra_netns_notify.c b/zebra/zebra_netns_notify.c index 6ad54d5c5..50b7ff923 100644 --- a/zebra/zebra_netns_notify.c +++ b/zebra/zebra_netns_notify.c @@ -288,6 +288,7 @@ static void zebra_ns_notify_read(struct thread *t) struct inotify_event *event; char buf[BUFSIZ]; ssize_t len; + char event_name[NAME_MAX + 1]; thread_add_read(zrouter.master, zebra_ns_notify_read, NULL, fd_monitor, &zebra_netns_notify_current); @@ -320,11 +321,41 @@ static void zebra_ns_notify_read(struct thread *t) break; } + /* + * Coverity Scan extra steps to satisfy `STRING_NULL` warning: + * - Make sure event name is present by checking `len != 0` + * - Event name length must be at most `NAME_MAX + 1` + * (null byte inclusive) + * - Copy event name to a stack buffer to make sure it + * includes the null byte. `event->name` includes at least + * one null byte and `event->len` accounts the null bytes, + * so the operation after `memcpy` will look like a + * truncation to satisfy Coverity Scan null byte ending. + * + * Example: + * if `event->name` is `abc\0` and `event->len` is 4, + * `memcpy` will copy the 4 bytes and then we set the + * null byte again at the position 4. + * + * For more information please read inotify(7) man page. + */ + if (event->len == 0) + continue; + + if (event->len > sizeof(event_name)) { + flog_err(EC_ZEBRA_NS_NOTIFY_READ, + "NS notify error: unexpected big event name"); + break; + } + + memcpy(event_name, event->name, event->len); + event_name[event->len - 1] = 0; + if (event->mask & IN_DELETE) { - zebra_ns_delete(event->name); + zebra_ns_delete(event_name); continue; } - netnspath = ns_netns_pathname(NULL, event->name); + netnspath = ns_netns_pathname(NULL, event_name); if (!netnspath) continue; netnspath = XSTRDUP(MTYPE_NETNS_MISC, netnspath); |