From e572871c06b7d04722d56becf7ef8ad86b14124c Mon Sep 17 00:00:00 2001 From: Ronan Le Martret Date: Tue, 29 Aug 2017 16:07:56 +0200 Subject: Fix strncat funct I: Statement might be overflowing a buffer in strncat. Common mistake: BAD: strncat(buffer,charptr,sizeof(buffer)) is wrong, it takes the left over size as 3rd argument GOOD: strncat(buffer,charptr,sizeof(buffer)-strlen(buffer)-1) Signed-off-by: Ronan Le Martret --- ctl-binding/ctl-dispatch.c | 12 ++++++------ ctl-binding/ctl-lua.c | 18 +++++++++--------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/ctl-binding/ctl-dispatch.c b/ctl-binding/ctl-dispatch.c index fe31a55..da900ec 100644 --- a/ctl-binding/ctl-dispatch.c +++ b/ctl-binding/ctl-dispatch.c @@ -421,8 +421,8 @@ STATIC DispatchHandleT *DispatchLoadOnload(DispatchConfigT *controlConfig, json_ char pluginpath[CONTROL_MAXPATH_LEN]; strncpy(pluginpath, fullpath, sizeof (pluginpath)); - strncat(pluginpath, "/", sizeof (pluginpath)); - strncat(pluginpath, filename, sizeof (pluginpath)); + strncat(pluginpath, "/", sizeof (pluginpath)-strlen(pluginpath)-1); + strncat(pluginpath, filename, sizeof (pluginpath)-strlen(pluginpath)-1); dPlugin->dlHandle = dlopen(pluginpath, RTLD_NOW); if (!dPlugin->dlHandle) { AFB_ERROR("DISPATCH-LOAD-CONFIG:PLUGIN Fail to load pluginpath=%s err= %s", pluginpath, dlerror()); @@ -453,7 +453,7 @@ STATIC DispatchHandleT *DispatchLoadOnload(DispatchConfigT *controlConfig, json_ int Lua2cAddOne(luaL_Reg *l2cFunc, const char* l2cName, int index) { char funcName[CONTROL_MAXPATH_LEN]; strncpy(funcName, "lua2c_", sizeof(funcName)); - strncat(funcName, l2cName, sizeof(funcName)); + strncat(funcName, l2cName, sizeof(funcName)-strlen(funcName)-1); Lua2cFunctionT l2cFunction= (Lua2cFunctionT)dlsym(dPlugin->dlHandle, funcName); if (!l2cFunction) { @@ -625,7 +625,7 @@ PUBLIC int DispatchInit() { if (!dirList) dirList=CONTROL_CONFIG_PATH; strncpy(controlFile, CONTROL_CONFIG_PRE "-", CONTROL_MAXPATH_LEN); - strncat(controlFile, GetBinderName(), CONTROL_MAXPATH_LEN); + strncat(controlFile, GetBinderName(), CONTROL_MAXPATH_LEN-strlen(controlFile)-1); // search for default dispatch config file json_object* responseJ = ScanForConfig(dirList, CTL_SCAN_RECURSIVE, controlFile, "json"); @@ -646,8 +646,8 @@ PUBLIC int DispatchInit() { if (strcasestr(filename, controlFile)) { char filepath[CONTROL_MAXPATH_LEN]; strncpy(filepath, fullpath, sizeof (filepath)); - strncat(filepath, "/", sizeof (filepath)); - strncat(filepath, filename, sizeof (filepath)); + strncat(filepath, "/", sizeof (filepath)-strlen(filepath)-1); + strncat(filepath, filename, sizeof (filepath)-strlen(filepath)-1); configHandle = DispatchLoadConfig(filepath); if (!configHandle) { AFB_ERROR("DISPATCH-INIT:ERROR Fail loading [%s]", filepath); diff --git a/ctl-binding/ctl-lua.c b/ctl-binding/ctl-lua.c index d737026..2c80205 100644 --- a/ctl-binding/ctl-lua.c +++ b/ctl-binding/ctl-lua.c @@ -741,8 +741,8 @@ STATIC void LuaDoAction (LuaDoActionT action, afb_req request) { // search for filename=script in CONTROL_LUA_PATH if (!luaScriptPathJ) { strncpy(luaScriptPath,CONTROL_DOSCRIPT_PRE, sizeof(luaScriptPath)); - strncat(luaScriptPath,"-", sizeof(luaScriptPath)); - strncat(luaScriptPath,target, sizeof(luaScriptPath)); + strncat(luaScriptPath,"-", sizeof(luaScriptPath)-strlen(luaScriptPath)-1); + strncat(luaScriptPath,target, sizeof(luaScriptPath)-strlen(luaScriptPath)-1); luaScriptPathJ= ScanForConfig(CONTROL_LUA_PATH , CTL_SCAN_RECURSIVE,luaScriptPath,".lua"); } for (index=0; index < json_object_array_length(luaScriptPathJ); index++) { @@ -757,8 +757,8 @@ STATIC void LuaDoAction (LuaDoActionT action, afb_req request) { if (index > 0) AFB_WARNING("LUA-DOSCRIPT-SCAN:Ignore second script=%s path=%s", filename, fullpath); else { strncpy (luaScriptPath, fullpath, sizeof(luaScriptPath)); - strncat (luaScriptPath, "/", sizeof(luaScriptPath)); - strncat (luaScriptPath, filename, sizeof(luaScriptPath)); + strncat (luaScriptPath, "/", sizeof(luaScriptPath)-strlen(luaScriptPath)-1); + strncat (luaScriptPath, filename, sizeof(luaScriptPath)-strlen(luaScriptPath)-1); } } @@ -778,7 +778,7 @@ STATIC void LuaDoAction (LuaDoActionT action, afb_req request) { // if no func name given try to deduct from filename if (!func && (func=(char*)GetMidleName(filename))!=NULL) { strncpy(luaScriptPath,"_", sizeof(luaScriptPath)); - strncat(luaScriptPath,func, sizeof(luaScriptPath)); + strncat(luaScriptPath,func, sizeof(luaScriptPath)-strlen(luaScriptPath)-1); func=luaScriptPath; } if (!func) { @@ -995,8 +995,8 @@ PUBLIC int LuaLibInit () { // search for default policy config file char fullprefix[CONTROL_MAXPATH_LEN]; strncpy (fullprefix, CONTROL_CONFIG_PRE "-", sizeof(fullprefix)); - strncat (fullprefix, GetBinderName(), sizeof(fullprefix)); - strncat (fullprefix, "-", sizeof(fullprefix)); + strncat (fullprefix, GetBinderName(), sizeof(fullprefix)-strlen(fullprefix)-1); + strncat (fullprefix, "-", sizeof(fullprefix)-strlen(fullprefix)-1); const char *dirList= getenv("CONTROL_LUA_PATH"); if (!dirList) dirList=CONTROL_LUA_PATH; @@ -1039,8 +1039,8 @@ PUBLIC int LuaLibInit () { char filepath[CONTROL_MAXPATH_LEN]; strncpy(filepath, fullpath, sizeof(filepath)); - strncat(filepath, "/", sizeof(filepath)); - strncat(filepath, filename, sizeof(filepath)); + strncat(filepath, "/", sizeof(filepath)-strlen(filepath)-1); + strncat(filepath, filename, sizeof(filepath)-strlen(filepath)-1); err= luaL_loadfile(luaState, filepath); if (err) { AFB_ERROR ("LUA-LOAD HOOPs Error in LUA loading scripts=%s err=%s", filepath, lua_tostring(luaState,-1)); -- cgit