fix tained string issue

Change-Id: I349b13d2d2731c69c4ee44dc6aef1c9613c00ff5

diff --git a/src/tdm.c b/src/tdm.c
index 955d5d5..4f8c253 100644 (file)
--- a/src/tdm.c
+++ b/src/tdm.c
@@ -862,20 +862,22 @@ static tdm_error
 _tdm_display_load_module(tdm_private_display *private_display)
 {
        const char *module_name;
-       char module[TDM_NAME_LEN];
        struct dirent **namelist;
-       int n;
+       int n, len;
        tdm_error ret = 0;
 
        module_name = getenv("TDM_MODULE");
        if (!module_name)
                module_name = TDM_DEFAULT_MODULE;
 
-       strncpy(module, module_name, TDM_NAME_LEN - 1);
-       module[TDM_NAME_LEN - 1] = '\0';
+       len = strlen(module_name);
+       if (len > TDM_NAME_LEN - 1) {
+               TDM_ERR("TDM_MODULE is too long\n");
+               return TDM_ERROR_OPERATION_FAILED;
+       }
 
        /* load bufmgr priv from default lib */
-       ret = _tdm_display_load_module_with_file(private_display, (const char*)module);
+       ret = _tdm_display_load_module_with_file(private_display, module_name);
        if (ret == TDM_ERROR_NONE)
                return TDM_ERROR_NONE;
 

diff --git a/src/tdm_server.c b/src/tdm_server.c
index 3d9daf3..5f88332 100644 (file)
--- a/src/tdm_server.c
+++ b/src/tdm_server.c
@@ -874,7 +874,7 @@ _tdm_socket_init(tdm_private_loop *private_loop)
 {
        const char *dir = NULL;
        char socket_path[TDM_NAME_LEN * 2];
-       int ret = -1;
+       int ret = -1, len;
        uid_t uid;
        gid_t gid;
 
@@ -888,6 +888,12 @@ _tdm_socket_init(tdm_private_loop *private_loop)
                /* LCOV_EXCL_STOP */
        }
 
+       len = strlen(dir);
+       if (len > TDM_NAME_LEN - 1) {
+               TDM_ERR("XDG_RUNTIME_DIR is too long\n");
+               return;
+       }
+
        strncpy(socket_path, dir, TDM_NAME_LEN - 1);
        socket_path[TDM_NAME_LEN - 1] = '\0';