Start to add truncate checks on all uses of strlcpy(). Reading lwn

has it's uses :-).

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Mar 29 20:48:15 CEST 2012 on sn-devel-104

diff --git a/lib/socket/interfaces.c b/lib/socket/interfaces.c
index 775956ba990c4f36c4db744b99f64a599fd2df01..74c642372a24323befae23534d1f525991a96fab 100644 (file)
--- a/lib/socket/interfaces.c
+++ b/lib/socket/interfaces.c
@@ -212,8 +212,12 @@ static int _get_interfaces(TALLOC_CTX *mem_ctx, struct iface_struct **pifaces)
                        continue;
                }
 
-               strlcpy(ifaces[total].name, ifptr->ifa_name,
-                       sizeof(ifaces[total].name));
+               if (strlcpy(ifaces[total].name, ifptr->ifa_name,
+                       sizeof(ifaces[total].name)) >=
+                               sizeof(ifaces[total].name)) {
+                       /* Truncation ! Ignore. */
+                       continue;
+               }
                total++;
        }
 

diff --git a/lib/util/fault.c b/lib/util/fault.c
index d0b34e540b432d288708e3191da011ce2bcbb464..4f8e8db5ca7ef061ced4785825408113347a4444 100644 (file)
--- a/lib/util/fault.c
+++ b/lib/util/fault.c
@@ -116,8 +116,6 @@ _PUBLIC_ const char *panic_action = NULL;
 */
 static void smb_panic_default(const char *why)
 {
-       int result;
-
 #if defined(HAVE_PRCTL) && defined(PR_SET_PTRACER)
        /*
         * Make sure all children can attach a debugger.
@@ -126,20 +124,22 @@ static void smb_panic_default(const char *why)
 #endif
 
        if (panic_action && *panic_action) {
-               char pidstr[20];
                char cmdstring[200];
-               strlcpy(cmdstring, panic_action, sizeof(cmdstring));
-               snprintf(pidstr, sizeof(pidstr), "%d", (int) getpid());
-               all_string_sub(cmdstring, "%d", pidstr, sizeof(cmdstring));
-               DEBUG(0, ("smb_panic(): calling panic action [%s]\n", cmdstring));
-               result = system(cmdstring);
-
-               if (result == -1)
-                       DEBUG(0, ("smb_panic(): fork failed in panic action: %s\n",
-                                 strerror(errno)));
-               else
-                       DEBUG(0, ("smb_panic(): action returned status %d\n",
-                                 WEXITSTATUS(result)));
+               if (strlcpy(cmdstring, panic_action, sizeof(cmdstring)) < sizeof(cmdstring)) {
+                       int result;
+                       char pidstr[20];
+                       snprintf(pidstr, sizeof(pidstr), "%d", (int) getpid());
+                       all_string_sub(cmdstring, "%d", pidstr, sizeof(cmdstring));
+                       DEBUG(0, ("smb_panic(): calling panic action [%s]\n", cmdstring));
+                       result = system(cmdstring);
+
+                       if (result == -1)
+                               DEBUG(0, ("smb_panic(): fork failed in panic action: %s\n",
+                                         strerror(errno)));
+                       else
+                               DEBUG(0, ("smb_panic(): action returned status %d\n",
+                                         WEXITSTATUS(result)));
+               }
        }
        DEBUG(0,("PANIC: %s\n", why));
 

diff --git a/lib/util/util_net.c b/lib/util/util_net.c
index 637c52b988403a3261984aabed2460b7ddc4d99d..69e5324180f5d597105ae3bd9543ecac4552465d 100644 (file)
--- a/lib/util/util_net.c
+++ b/lib/util/util_net.c
@@ -107,9 +107,11 @@ static bool interpret_string_addr_pref(struct sockaddr_storage *pss,
                 */
 
                if (p && (p > str) && ((scope_id = if_nametoindex(p+1)) != 0)) {
-                       strlcpy(addr, str,
-                               MIN(PTR_DIFF(p,str)+1,
-                                       sizeof(addr)));
+                       size_t len = MIN(PTR_DIFF(p,str)+1, sizeof(addr));
+                       if (strlcpy(addr, str, len) >= len) {
+                               /* Truncate. */
+                               return false;
+                       }
                        str = addr;
                }
        }
@@ -332,9 +334,11 @@ bool is_ipaddress_v6(const char *str)
                 */
 
                if (p && (p > str) && (if_nametoindex(p+1) != 0)) {
-                       strlcpy(addr, str,
-                               MIN(PTR_DIFF(p,str)+1,
-                                       sizeof(addr)));
+                       size_t len = MIN(PTR_DIFF(p,str)+1, sizeof(addr));
+                       if (strlcpy(addr, str, len) >= len) {
+                               /* Truncate. */
+                               return false;
+                       }
                        sp = addr;
                }
                ret = inet_pton(AF_INET6, sp, &dest6);
@@ -723,7 +727,10 @@ static const char *get_socket_addr(int fd, char *addr_buf, size_t addr_len)
         * zero IPv6 address. No good choice here.
         */
 
-       strlcpy(addr_buf, "0.0.0.0", addr_len);
+       if (strlcpy(addr_buf, "0.0.0.0", addr_len) >= addr_len) {
+               /* Truncate ! */
+               return NULL;
+       }
 
        if (fd == -1) {
                return addr_buf;

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index ed19e7f42bf1aa8ae946509237d552a1cedae2fb..30dbc0c6dd32d631370a49405835205508c94a12 100644 (file)
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -3037,7 +3037,9 @@ static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
                return NT_STATUS_NO_MEMORY;
        }
 
-       client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr));
+       if (client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr)) == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
        addr = talloc_strdup(cconn, tmp_addr);
        if (addr == NULL) {
                return NT_STATUS_NO_MEMORY;