From: Rafal Krypa Date: Fri, 16 Aug 2013 08:48:56 +0000 (+0200) Subject: Prevent potentially unterminated buffers while adding rule to the list X-Git-Tag: v1.1.0~73^2~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2aa62498600a3ca04ad0cedb3a07c6143aae29a2;p=platform%2Fupstream%2Fsmack.git Prevent potentially unterminated buffers while adding rule to the list Functions smack_accesses_add() and smack_accesses_add_modify() don't check length of arguments subject and object. These arguments are used as source for strncpy(), which can cause labels to be truncated. But the length argument for strncpy() is too large. This might cause rule->subject or rule->object to be not terminated by null character. It can happen when these functions are called from outside libsmack. It can also happen while parsing files in smack_accesses_add_from_file(), because that function doesn't validate subject and object too. This commit fixes the problem by checking arguments in smack_accesses_add() and smack_accesses_add_modify(). After checking strcpy() is safe for copying them. --- diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c index c90e265..52058c3 100644 --- a/libsmack/libsmack.c +++ b/libsmack/libsmack.c @@ -174,12 +174,18 @@ int smack_accesses_add(struct smack_accesses *handle, const char *subject, { struct smack_rule *rule = NULL; + if (strnlen(subject, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN || + strnlen(object, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN) { + errno = ERANGE; + return -1; + } + rule = calloc(sizeof(struct smack_rule), 1); if (rule == NULL) return -1; - strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1); - strncpy(rule->object, object, SMACK_LABEL_LEN + 1); + strcpy(rule->subject, subject); + strcpy(rule->object, object); parse_access_type(access_type, rule->access_set); if (handle->first == NULL) { @@ -197,12 +203,18 @@ int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject { struct smack_rule *rule = NULL; + if (strnlen(subject, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN || + strnlen(object, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN) { + errno = ERANGE; + return -1; + } + rule = calloc(sizeof(struct smack_rule), 1); if (rule == NULL) return -1; - strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1); - strncpy(rule->object, object, SMACK_LABEL_LEN + 1); + strcpy(rule->subject, subject); + strcpy(rule->object, object); parse_access_type(access_add, rule->access_add); parse_access_type(access_del, rule->access_del); rule->is_modify = 1;