From c9fc86a50459776d9a7abb609f6503c57d69e034 Mon Sep 17 00:00:00 2001 From: Lee Duncan Date: Fri, 15 Dec 2017 11:15:26 -0800 Subject: [PATCH 5/7] Ensure strings from peer are copied correctly. The method of using strlen() and strcpy()/strncpy() has a couple of holes. Do not try to measure the length of strings supplied from peer, and ensure copied strings are NULL-terminated. Use the new strlcpy() instead. Found by Qualsys. CVE: CVE-2017-17840 Upstream-Status: Backport Signed-off-by: Zhixiong Chi --- iscsiuio/src/unix/iscsid_ipc.c | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c index bde8d66..52ae8c6 100644 --- a/iscsiuio/src/unix/iscsid_ipc.c +++ b/iscsiuio/src/unix/iscsid_ipc.c @@ -152,10 +152,7 @@ static int decode_cidr(char *in_ipaddr_str, struct iface_rec_decode *ird) struct in_addr ia; struct in6_addr ia6; - if (strlen(in_ipaddr_str) > NI_MAXHOST) - strncpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST); - else - strcpy(ipaddr_str, in_ipaddr_str); + strlcpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST); /* Find the CIDR if any */ tmp = strchr(ipaddr_str, '/'); @@ -287,22 +284,16 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec) /* For LL on, ignore the IPv6 addr in the iface */ if (ird->linklocal_autocfg == IPV6_LL_AUTOCFG_OFF) { - if (strlen(rec->ipv6_linklocal) > NI_MAXHOST) - strncpy(ipaddr_str, rec->ipv6_linklocal, - NI_MAXHOST); - else - strcpy(ipaddr_str, rec->ipv6_linklocal); + strlcpy(ipaddr_str, rec->ipv6_linklocal, + NI_MAXHOST); inet_pton(AF_INET6, ipaddr_str, &ird->ipv6_linklocal); } /* For RTR on, ignore the IPv6 addr in the iface */ if (ird->router_autocfg == IPV6_RTR_AUTOCFG_OFF) { - if (strlen(rec->ipv6_router) > NI_MAXHOST) - strncpy(ipaddr_str, rec->ipv6_router, - NI_MAXHOST); - else - strcpy(ipaddr_str, rec->ipv6_router); + strlcpy(ipaddr_str, rec->ipv6_router, + NI_MAXHOST); inet_pton(AF_INET6, ipaddr_str, &ird->ipv6_router); } @@ -316,10 +307,7 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec) calculate_default_netmask( ird->ipv4_addr.s_addr); - if (strlen(rec->gateway) > NI_MAXHOST) - strncpy(ipaddr_str, rec->gateway, NI_MAXHOST); - else - strcpy(ipaddr_str, rec->gateway); + strlcpy(ipaddr_str, rec->gateway, NI_MAXHOST); inet_pton(AF_INET, ipaddr_str, &ird->ipv4_gateway); } } else { -- 1.9.1