1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
From c9fc86a50459776d9a7abb609f6503c57d69e034 Mon Sep 17 00:00:00 2001
From: Lee Duncan <lduncan@suse.com>
Date: Fri, 15 Dec 2017 11:15:26 -0800
Subject: [PATCH 5/7] Ensure strings from peer are copied correctly.
The method of using strlen() and strcpy()/strncpy() has
a couple of holes. Do not try to measure the length of
strings supplied from peer, and ensure copied strings are
NULL-terminated. Use the new strlcpy() instead.
Found by Qualsys.
CVE: CVE-2017-17840
Upstream-Status: Backport
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
iscsiuio/src/unix/iscsid_ipc.c | 24 ++++++------------------
1 file changed, 6 insertions(+), 18 deletions(-)
diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
index bde8d66..52ae8c6 100644
--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
@@ -152,10 +152,7 @@ static int decode_cidr(char *in_ipaddr_str, struct iface_rec_decode *ird)
struct in_addr ia;
struct in6_addr ia6;
- if (strlen(in_ipaddr_str) > NI_MAXHOST)
- strncpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST);
- else
- strcpy(ipaddr_str, in_ipaddr_str);
+ strlcpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST);
/* Find the CIDR if any */
tmp = strchr(ipaddr_str, '/');
@@ -287,22 +284,16 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec)
/* For LL on, ignore the IPv6 addr in the iface */
if (ird->linklocal_autocfg == IPV6_LL_AUTOCFG_OFF) {
- if (strlen(rec->ipv6_linklocal) > NI_MAXHOST)
- strncpy(ipaddr_str, rec->ipv6_linklocal,
- NI_MAXHOST);
- else
- strcpy(ipaddr_str, rec->ipv6_linklocal);
+ strlcpy(ipaddr_str, rec->ipv6_linklocal,
+ NI_MAXHOST);
inet_pton(AF_INET6, ipaddr_str,
&ird->ipv6_linklocal);
}
/* For RTR on, ignore the IPv6 addr in the iface */
if (ird->router_autocfg == IPV6_RTR_AUTOCFG_OFF) {
- if (strlen(rec->ipv6_router) > NI_MAXHOST)
- strncpy(ipaddr_str, rec->ipv6_router,
- NI_MAXHOST);
- else
- strcpy(ipaddr_str, rec->ipv6_router);
+ strlcpy(ipaddr_str, rec->ipv6_router,
+ NI_MAXHOST);
inet_pton(AF_INET6, ipaddr_str,
&ird->ipv6_router);
}
@@ -316,10 +307,7 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec)
calculate_default_netmask(
ird->ipv4_addr.s_addr);
- if (strlen(rec->gateway) > NI_MAXHOST)
- strncpy(ipaddr_str, rec->gateway, NI_MAXHOST);
- else
- strcpy(ipaddr_str, rec->gateway);
+ strlcpy(ipaddr_str, rec->gateway, NI_MAXHOST);
inet_pton(AF_INET, ipaddr_str, &ird->ipv4_gateway);
}
} else {
--
1.9.1
|
