projects / platform / core / system / pass.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4e0609a)
pmqos: parser: Fix defects such as tainted integer and use of strcpy 53/118953/5
authorWook Song <wook16.song@samsung.com>
Wed, 15 Mar 2017 02:00:17 +0000 (11:00 +0900)
committerWook Song <wook16.song@samsung.com>
Mon, 27 Mar 2017 06:25:30 +0000 (15:25 +0900)
This patch fixes the following code-level defects according to static
program analysis result:

1. PROC_USE.VULNERABLE: Use of vulnerable function 'strcpy'. For better
security, using strncpy is recommended.
2. TAINTED_INT: Integer value obtained from untrusted source without checking
its higher bound is used in a trusted operation by calling function 'calloc'.

Change-Id: I423c8dcc6cb720673f2c754a39204e140fdb9e79
Signed-off-by: Wook Song <wook16.song@samsung.com>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
src/pmqos/pmqos-parser.c patch | blob | history

diff --git a/src/pmqos/pmqos-parser.c b/src/pmqos/pmqos-parser.c
index 5caae75c4d5bcd3de508eefd6aa940eaeca9f8d5..9efea8993d55b6143c560807ace6d2d45bec93e0 100644 (file)
--- a/src/pmqos/pmqos-parser.c
+++ b/src/pmqos/pmqos-parser.c
@@ -29,6 +29,8 @@
 
 #include "pmqos.h"
 
+#define MAX_NUM_OF_SCENARIOS           255
+
 static bool is_supported(const char *value)
 {
        assert(value);
@@ -50,7 +52,13 @@ static int pmqos_parse_scenario(struct parse_result *result, void *user_data, un
                if (MATCH(result->name, "scenario_support"))
                        scenarios->support = is_supported(result->value);
                else if (MATCH(result->name, "scenario_num")) {
-                       scenarios->num = atoi(result->value);
+                       int num = atoi(result->value);
+
+                       if (num > MAX_NUM_OF_SCENARIOS)
+                               return -EINVAL;
+
+                       scenarios->num = num;
+
                        if (scenarios->num > 0) {
                                scenarios->list = calloc(scenarios->num,
                                                sizeof(struct scenario));
@@ -76,7 +84,8 @@ static int pmqos_parse_scenario(struct parse_result *result, void *user_data, un
 
        /* Parse 'Scenario' section */
        if (MATCH(result->name, "name"))
-               strcpy(scenarios->list[index].name, result->value);
+               snprintf(scenarios->list[index].name, strlen(result->value) + 1,
+                               "%s", result->value);
        else if (MATCH(result->name, "support"))
                scenarios->list[index].support = is_supported(result->value);
 
Domain: System / Kernel;