Fix: memcpy of string is larger than source
authorMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Tue, 9 Oct 2012 16:47:31 +0000 (12:47 -0400)
committerMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Tue, 9 Oct 2012 16:50:49 +0000 (12:50 -0400)
Hollis Blanchard <hollis_blanchard@mentor.com> wrote:
> I seem to have hit a little problem with a "hello world" test app and
> lttng-ust 2.0.3. lttng-ust.git seems to be affected as well. Basically,
> I created a single UST tracepoint, but as soon as I run "lttng
> enable-event -u -a", my app segfaults. The problem seems to be that when
> creating the event to pass to ltt_event_create(), we try to memcpy the
> full 256 bytes of name. However, the name might be shorter, and if we
> get unlucky it falls within 256 bytes of the segment boundary...

Fixing the 3 sites where this issue arise. Manually inspecting all
memcpy in the UST code returned by grep did the job.

Reported-by: Hollis Blanchard <hollis_blanchard@mentor.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
liblttng-ust/ltt-events.c
liblttng-ust/ltt-probes.c

index 82a1119cb3d8aa1e8a1891b3e779a88bbd181c93..d2c922b603d2f78342e127c0d26e1bf771d673df 100644 (file)
@@ -248,9 +248,10 @@ int pending_probe_fix_events(const struct lttng_event_desc *desc)
 
                                memcpy(&event_param, &sw->event_param,
                                                sizeof(event_param));
-                               memcpy(event_param.name,
+                               strncpy(event_param.name,
                                        desc->name,
                                        sizeof(event_param.name));
+                               event_param.name[sizeof(event_param.name) - 1] = '\0';
                                /* create event */
                                ret = ltt_event_create(sw->chan,
                                        &event_param, NULL,
index 02df21b2f61c847e3ba082866577daa4c40c79bc..15c83873f6ad25ab038b638b5ff2ec8243f2f793 100644 (file)
@@ -254,9 +254,10 @@ void ltt_probes_create_wildcard_events(struct wildcard_entry *entry,
 
                                memcpy(&event_param, &wildcard->event_param,
                                                sizeof(event_param));
-                               memcpy(event_param.name,
+                               strncpy(event_param.name,
                                        event_desc->name,
                                        sizeof(event_param.name));
+                               event_param.name[sizeof(event_param.name) - 1] = '\0';
                                /* create event */
                                ret = ltt_event_create(wildcard->chan,
                                        &event_param, NULL,
This page took 0.026682 seconds and 4 git commands to generate.