1 files changed, 33 insertions, 2 deletions

diff --git a/zebra/zebra_netns_notify.c b/zebra/zebra_netns_notify.c
index 6ad54d5c5..50b7ff923 100644
--- a/zebra/zebra_netns_notify.c
+++ b/zebra/zebra_netns_notify.c
@@ -288,6 +288,7 @@ static void zebra_ns_notify_read(struct thread *t)
 	struct inotify_event *event;
 	char buf[BUFSIZ];
 	ssize_t len;
+	char event_name[NAME_MAX + 1];
 
 	thread_add_read(zrouter.master, zebra_ns_notify_read, NULL, fd_monitor,
 			&zebra_netns_notify_current);
@@ -320,11 +321,41 @@ static void zebra_ns_notify_read(struct thread *t)
 			break;
 		}
 
+		/*
+		 * Coverity Scan extra steps to satisfy `STRING_NULL` warning:
+		 * - Make sure event name is present by checking `len != 0`
+		 * - Event name length must be at most `NAME_MAX + 1`
+		 *   (null byte inclusive)
+		 * - Copy event name to a stack buffer to make sure it
+		 *   includes the null byte. `event->name` includes at least
+		 *   one null byte and `event->len` accounts the null bytes,
+		 *   so the operation after `memcpy` will look like a
+		 *   truncation to satisfy Coverity Scan null byte ending.
+		 *
+		 *   Example:
+		 *   if `event->name` is `abc\0` and `event->len` is 4,
+		 *   `memcpy` will copy the 4 bytes and then we set the
+		 *   null byte again at the position 4.
+		 *
+		 * For more information please read inotify(7) man page.
+		 */
+		if (event->len == 0)
+			continue;
+
+		if (event->len > sizeof(event_name)) {
+			flog_err(EC_ZEBRA_NS_NOTIFY_READ,
+				 "NS notify error: unexpected big event name");
+			break;
+		}
+
+		memcpy(event_name, event->name, event->len);
+		event_name[event->len - 1] = 0;
+
 		if (event->mask & IN_DELETE) {
-			zebra_ns_delete(event->name);
+			zebra_ns_delete(event_name);
 			continue;
 		}
-		netnspath = ns_netns_pathname(NULL, event->name);
+		netnspath = ns_netns_pathname(NULL, event_name);
 		if (!netnspath)
 			continue;
 		netnspath = XSTRDUP(MTYPE_NETNS_MISC, netnspath);