From 9bfa062b34d91079fcb91380fff24745071a72f2 Mon Sep 17 00:00:00 2001 From: Youmin Ha Date: Mon, 12 Oct 2015 22:04:39 +0900 Subject: [PATCH] Fix prevent issues This commit fixes following prevent CIDs: * 458876: Avoid copying string which cannot be null-terminated * 459717: NULL-check after memory allocation * 461686: NULL-check tainted scalar(string read by fgets()) * 462630: NULL-check after memory allocation * 466499: NULL-check after memory allocation * 470326: NULL-check after memory allocation * 471806: NULL-check after memory allocation * 472387: NULL-check after memory allocation * 475993: NULL-check after memory allocation Change-Id: Ie33494a2055528ae1c8b8ffb296a2111c3468e95 --- src/common/tlm-utils.c | 39 +++++++++++++++++++++++++++++++++------ src/daemon/tlm-seat.c | 4 ++++ src/utils/tlm-launcher.c | 7 +++++++ 3 files changed, 44 insertions(+), 6 deletions(-) diff --git a/src/common/tlm-utils.c b/src/common/tlm-utils.c index d2a957e..ee4ef33 100644 --- a/src/common/tlm-utils.c +++ b/src/common/tlm-utils.c @@ -200,11 +200,21 @@ _get_host_address ( struct sockaddr_in *sa = (struct sockaddr_in *) info->ai_addr; sz_hostaddress = sizeof(struct in_addr); *hostaddress = g_malloc0 (sz_hostaddress); + if (!*hostaddress) { + CRITICAL("g_malloc0 memory allocation failure"); + freeaddrinfo (info); + return 0; + } memcpy (*hostaddress, &(sa->sin_addr), sz_hostaddress); } else if (info->ai_family == AF_INET6) { struct sockaddr_in6 *sa = (struct sockaddr_in6 *) info->ai_addr; sz_hostaddress = sizeof(struct in6_addr); *hostaddress = g_malloc0 (sz_hostaddress); + if (!*hostaddress) { + CRITICAL("g_malloc0 memory allocation failure"); + freeaddrinfo (info); + return 0; + } memcpy (*hostaddress, &(sa->sin6_addr), sz_hostaddress); } freeaddrinfo (info); @@ -240,6 +250,10 @@ static gchar * _get_host_name () { gchar *name = g_malloc0 (HOST_NAME_SIZE); + if (!name) { + CRITICAL("g_malloc0 memory allocation failure"); + return NULL; + } if (gethostname (name, HOST_NAME_SIZE) != 0) { g_free (name); return NULL; @@ -289,13 +303,13 @@ tlm_utils_log_utmp_entry (const gchar *username) ut_ent.ut_type = USER_PROCESS; ut_ent.ut_pid = pid; if (tty_id) - strncpy (ut_ent.ut_id, tty_id, sizeof (ut_ent.ut_id)); + strncpy (ut_ent.ut_id, tty_id, sizeof (ut_ent.ut_id)-1); if (username) - strncpy (ut_ent.ut_user, username, sizeof (ut_ent.ut_user)); + strncpy (ut_ent.ut_user, username, sizeof (ut_ent.ut_user)-1); if (tty_no_dev_name) - strncpy (ut_ent.ut_line, tty_no_dev_name, sizeof (ut_ent.ut_line)); + strncpy (ut_ent.ut_line, tty_no_dev_name, sizeof (ut_ent.ut_line)-1); if (hostname) - strncpy (ut_ent.ut_host, hostname, sizeof (ut_ent.ut_host)); + strncpy (ut_ent.ut_host, hostname, sizeof (ut_ent.ut_host)-1); if (hostaddress) memcpy (&ut_ent.ut_addr_v6, hostaddress, sz_hostaddress); @@ -422,6 +436,10 @@ _watch_info_new ( gpointer userdata) { WatchInfo *info = g_slice_new0 (WatchInfo); + if (!info) { + CRITICAL("g_slice_new0 memory allocation failure"); + return NULL; + } info->ifd = ifd; info->cb = cb; info->userdata = userdata; @@ -525,7 +543,7 @@ _add_watch (int ifd, char *file_path, WatchInfo *info) { remove_and_return: g_hash_table_remove (info->dir_table, (gconstpointer)dir); g_list_free_full (file_list, (GDestroyNotify)g_free); - + return res; } @@ -538,6 +556,11 @@ _inotify_watcher_cb (gint ifd, GIOCondition condition, gpointer userdata) guint nwatch = g_hash_table_size (info->wd_table); ie = (struct inotify_event *) g_slice_alloc0(size); + if (!ie) { + CRITICAL("g_slice_alloc0 memory allocation failure"); + return nwatch ? G_SOURCE_CONTINUE : G_SOURCE_REMOVE; + } + while (nwatch && read (ifd, ie, size) > (ssize_t)sizeof (struct inotify_event)) { GList *file_list = NULL; @@ -634,7 +657,7 @@ _expand_file_path (const gchar *file_path) *tmp_item = g_strdup (env ? env : ""); } } - + expanded_path = g_strjoinv (G_DIR_SEPARATOR_S, items); g_strfreev(items); @@ -752,6 +775,10 @@ tlm_authenticate_user ( service = "system-auth"; info = g_malloc0 (sizeof (*info)); + if (!info) { + CRITICAL("g_malloc0 memory allocation failure"); + return FALSE; + } info->username = strndup (username, PAM_MAX_RESP_SIZE - 1); info->password = strndup (password, PAM_MAX_RESP_SIZE - 1); const struct pam_conv conv = {func_conv, info}; diff --git a/src/daemon/tlm-seat.c b/src/daemon/tlm-seat.c index d3236ff..547954f 100644 --- a/src/daemon/tlm-seat.c +++ b/src/daemon/tlm-seat.c @@ -593,6 +593,10 @@ tlm_seat_create_session (TlmSeat *seat, if (priv->prev_count > 3) { WARN ("relogins spinning too fast, delay..."); DelayClosure *delay_closure = g_slice_new0 (DelayClosure); + if (!delay_closure) { + CRITICAL("g_slice_new0 memory allication failure"); + return FALSE; + } delay_closure->seat = g_object_ref (seat); delay_closure->service = g_strdup (service); delay_closure->username = g_strdup (username); diff --git a/src/utils/tlm-launcher.c b/src/utils/tlm-launcher.c index e4a413a..dd9bf12 100644 --- a/src/utils/tlm-launcher.c +++ b/src/utils/tlm-launcher.c @@ -146,6 +146,7 @@ static void _tlm_launcher_process (TlmLauncher *l) while (fgets(str, sizeof(str) - 1, l->fp) != NULL) { char control = 0; + if (0 >= strlen(str)) continue; /* Prevent: tainted scalar check */ gchar *cmd = g_strstrip(str); if (!strlen(cmd) || cmd[0] == '#') /* comment */ @@ -158,6 +159,8 @@ static void _tlm_launcher_process (TlmLauncher *l) case 'M': case 'L': argv = tlm_utils_split_command_line (cmd); + if (!argv) + ERR("Getting argv failure"); if ((child_pid = fork()) < 0) { ERR("fork() failed: %s", strerror (errno)); } else if (child_pid == 0) { @@ -168,6 +171,10 @@ static void _tlm_launcher_process (TlmLauncher *l) WARN("exec failed: %s", strerror (errno)); } else if (control == 'M') { ChildInfo *info = g_slice_new0 (ChildInfo); + if (!info) { + CRITICAL("g_slice_new0 memory allocation failure"); + break; + } info->pid = child_pid; info->watcher = g_child_watch_add (child_pid, (GChildWatchFunc)_on_child_down_cb, l); -- 2.7.4