Fix: lttng: out-of-bound copy of arguments in 'view' command handler

The 'size' operand of memcpy() does not indicate the length of the
opts array; it is the size of the resulting array once the opts array
is concatenated with the options being added in this function. This
results in out-of-bound read(s) in the opts array.

Use 'sizeof(char *) * opts_len' as the length to copy at the beginning
of the resulting array.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>

diff --git a/src/bin/lttng/commands/view.c b/src/bin/lttng/commands/view.c
index 0325e505c505fab3dab2bc666fa7caec40822aa4..8e63a8997837079f2ef97a00ea9cfbe985f4a167 100644 (file)
--- a/src/bin/lttng/commands/view.c
+++ b/src/bin/lttng/commands/view.c
@@ -188,7 +188,7 @@ static char **alloc_argv_from_local_opts(const char **opts, size_t opts_len,
                goto error;
        }
 
-       memcpy(argv, opts, size);
+       memcpy(argv, opts, sizeof(char *) * opts_len);
 
        if (session_live_mode) {
                argv[opts_len] = "-i";