restore: avoid an unterminated string

Submitted by Andrey Vagin on Aug. 23, 2018, 11:09 a.m.

Details

Message ID 20180823110949.28792-1-avagin@virtuozzo.com
State Accepted
Series "restore: avoid an unterminated string"
Headers show

Commit Message

Andrey Vagin Aug. 23, 2018, 11:09 a.m.
>>>     CID 164715:    (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on
	destination array "thread_args[i].comm" of size 16 bytes might
	leave the destination string unterminated.
3473    strncpy(thread_args[i].comm, core->tc->comm, TASK_COMM_LEN);

Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
---
 criu/cr-restore.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 87a4754f0..da2dac428 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -3468,9 +3468,10 @@  static int sigreturn_restore(pid_t pid, struct task_restore_args *task_args, uns
 			goto err;
 
 		if (tcore->thread_core->comm)
-			strncpy(thread_args[i].comm, tcore->thread_core->comm, TASK_COMM_LEN);
+			strncpy(thread_args[i].comm, tcore->thread_core->comm, TASK_COMM_LEN - 1);
 		else
-			strncpy(thread_args[i].comm, core->tc->comm, TASK_COMM_LEN);
+			strncpy(thread_args[i].comm, core->tc->comm, TASK_COMM_LEN - 1);
+		thread_args[i].comm[TASK_COMM_LEN - 1] = 0;
 
 		if (thread_args[i].pid != pid)
 			core_entry__free_unpacked(tcore, NULL);

Comments

Cyrill Gorcunov Aug. 23, 2018, 12:03 p.m.
On Thu, Aug 23, 2018 at 02:09:49PM +0300, Andrei Vagin wrote:
> >>>     CID 164715:    (BUFFER_SIZE_WARNING)
> >>>     Calling strncpy with a maximum size argument of 16 bytes on
> 	destination array "thread_args[i].comm" of size 16 bytes might
> 	leave the destination string unterminated.
> 3473    strncpy(thread_args[i].comm, core->tc->comm, TASK_COMM_LEN);
> 
> Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>
Andrey Vagin Aug. 29, 2018, 12:10 p.m.
Applied

On Thu, Aug 23, 2018 at 02:09:49PM +0300, Andrei Vagin wrote:
> >>>     CID 164715:    (BUFFER_SIZE_WARNING)
> >>>     Calling strncpy with a maximum size argument of 16 bytes on
> 	destination array "thread_args[i].comm" of size 16 bytes might
> 	leave the destination string unterminated.
> 3473    strncpy(thread_args[i].comm, core->tc->comm, TASK_COMM_LEN);
> 
> Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
> ---
>  criu/cr-restore.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/criu/cr-restore.c b/criu/cr-restore.c
> index 87a4754f0..da2dac428 100644
> --- a/criu/cr-restore.c
> +++ b/criu/cr-restore.c
> @@ -3468,9 +3468,10 @@ static int sigreturn_restore(pid_t pid, struct task_restore_args *task_args, uns
>  			goto err;
>  
>  		if (tcore->thread_core->comm)
> -			strncpy(thread_args[i].comm, tcore->thread_core->comm, TASK_COMM_LEN);
> +			strncpy(thread_args[i].comm, tcore->thread_core->comm, TASK_COMM_LEN - 1);
>  		else
> -			strncpy(thread_args[i].comm, core->tc->comm, TASK_COMM_LEN);
> +			strncpy(thread_args[i].comm, core->tc->comm, TASK_COMM_LEN - 1);
> +		thread_args[i].comm[TASK_COMM_LEN - 1] = 0;
>  
>  		if (thread_args[i].pid != pid)
>  			core_entry__free_unpacked(tcore, NULL);
> -- 
> 2.14.3
>