Ensure received data is nul terminated, found by Coverity Scan
Coverity found two possible untrusted loop bounds, in unix_cb() and inet_cb(), that were indeed possibly unterminated strings. These were classified as medium. A third finding, marked high, was found in kernel_cb(), which upon further investigation seems bogus. This patch terminates the buffers received in unix_cb() and inet_cb() but only changes to 0 from \0 termination in kernel_cb(). Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
This commit is contained in:
Joachim Wiberg
@@ -521,7 +521,7 @@ static void kernel_cb(int fd, void *arg)
|
|||||||
for (;;) {
|
for (;;) {
|
||||||
i = read(fd, line + len, MAXLINE - 1 - len);
|
i = read(fd, line + len, MAXLINE - 1 - len);
|
||||||
if (i > 0) {
|
if (i > 0) {
|
||||||
line[i + len] = '\0';
|
line[i + len] = 0;
|
||||||
} else {
|
} else {
|
||||||
if (i < 0) {
|
if (i < 0) {
|
||||||
switch (errno) {
|
switch (errno) {
|
||||||
@@ -543,7 +543,7 @@ static void kernel_cb(int fd, void *arg)
|
|||||||
}
|
}
|
||||||
|
|
||||||
for (p = line; (q = strchr(p, '\n')) != NULL; p = q + 1) {
|
for (p = line; (q = strchr(p, '\n')) != NULL; p = q + 1) {
|
||||||
*q = '\0';
|
*q = 0;
|
||||||
printsys(p);
|
printsys(p);
|
||||||
}
|
}
|
||||||
len = strlen(p);
|
len = strlen(p);
|
||||||
@@ -586,6 +586,7 @@ static void unix_cb(int sd, void *arg)
|
|||||||
ERR("UNIX recv()");
|
ERR("UNIX recv()");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
msg[msglen] = 0;
|
||||||
|
|
||||||
parsemsg(LocalHostName, msg);
|
parsemsg(LocalHostName, msg);
|
||||||
}
|
}
|
||||||
@@ -656,6 +657,7 @@ static void inet_cb(int sd, void *arg)
|
|||||||
ERR("INET recvfrom()");
|
ERR("INET recvfrom()");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
msg[len] = 0;
|
||||||
|
|
||||||
hname = cvthname((struct sockaddr *)&ss, sslen);
|
hname = cvthname((struct sockaddr *)&ss, sslen);
|
||||||
unmapped(sa);
|
unmapped(sa);
|
||||||
|
|||||||
Reference in New Issue
Block a user