Prevent potentially unterminated buffers while adding rule to the list

Functions smack_accesses_add() and smack_accesses_add_modify() don't check
length of arguments subject and object. These arguments are used as source
for strncpy(), which can cause labels to be truncated.

But the length argument for strncpy() is too large. This might cause
rule->subject or rule->object to be not terminated by null character.
It can happen when these functions are called from outside libsmack.
It can also happen while parsing files in smack_accesses_add_from_file(),
because that function doesn't validate subject and object too.

This commit fixes the problem by checking arguments in smack_accesses_add()
and smack_accesses_add_modify(). After checking strcpy() is safe for
copying them.

diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c
index 2dcac2d..d98f233 100644 (file)
--- a/libsmack/libsmack.c
+++ b/libsmack/libsmack.c
@@ -168,12 +168,18 @@ int smack_accesses_add(struct smack_accesses *handle, const char *subject,
 {
        struct smack_rule *rule = NULL;
 
+       if (strnlen(subject, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN ||
+           strnlen(object, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN) {
+               errno = ERANGE;
+               return -1;
+       }
+
        rule = calloc(sizeof(struct smack_rule), 1);
        if (rule == NULL)
                return -1;
 
-       strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
-       strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
+       strcpy(rule->subject, subject);
+       strcpy(rule->object, object);
        parse_access_type(access_type, rule->access_set);
 
        if (handle->first == NULL) {
@@ -191,12 +197,18 @@ int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject
 {
        struct smack_rule *rule = NULL;
 
+       if (strnlen(subject, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN ||
+           strnlen(object, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN) {
+               errno = ERANGE;
+               return -1;
+       }
+
        rule = calloc(sizeof(struct smack_rule), 1);
        if (rule == NULL)
                return -1;
 
-       strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
-       strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
+       strcpy(rule->subject, subject);
+       strcpy(rule->object, object);
        parse_access_type(access_add, rule->access_add);
        parse_access_type(access_del, rule->access_del);
        rule->is_modify = 1;