diff options
| author | Avinash Thakur <avinasht@codeaurora.org> | 2018-03-22 17:50:32 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-04-29 23:25:34 -0700 |
| commit | 02ee4eabb80c8621ae55d08be91777ac949680d1 (patch) | |
| tree | f0adffee6a4e901295352c44259f5fe4223b0d2f | |
| parent | 1ecd2d8bdee56c0e99550b0f644937d71b7fef01 (diff) | |
librmnetctl: kw fixes
Using a safer implementation of memcpy
to avoid buffer overflow
CRs-Fixed: 2210993
Change-Id: I486f49ce96c27bfd5010cc9c4e7ace6eb606f1fc
Signed-off-by: "Avinash Thakur <avinasht@codeaurora.org>"
Acked-by: Kaustubh Pandey <kapandey@qti.qualcomm.com>
| -rw-r--r-- | rmnetctl/inc/librmnetctl.h | 2 | ||||
| -rw-r--r-- | rmnetctl/src/librmnetctl.c | 51 |
2 files changed, 47 insertions, 6 deletions
diff --git a/rmnetctl/inc/librmnetctl.h b/rmnetctl/inc/librmnetctl.h index 3d622bf..4014ac2 100644 --- a/rmnetctl/inc/librmnetctl.h +++ b/rmnetctl/inc/librmnetctl.h @@ -39,6 +39,8 @@ IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #ifndef LIBRMNETCTL_H #define LIBRMNETCTL_H +/* RMNET API failed to copy*/ +#define RMNETCTL_LIB_COPY_FAILED -1 /* RMNET API succeeded */ #define RMNETCTL_SUCCESS 0 /* RMNET API encountered an error while executing within the library. Check the diff --git a/rmnetctl/src/librmnetctl.c b/rmnetctl/src/librmnetctl.c index 731681a..cf237ba 100644 --- a/rmnetctl/src/librmnetctl.c +++ b/rmnetctl/src/librmnetctl.c @@ -92,7 +92,30 @@ struct nlmsg { char data[500]; }; +/* + * Helper functions + */ +/* + * @brief helper function to implement a secure memcpy + * @details take source and destination buffer size into + * considerations before copying + * @param dst destination buffer + * @param dst_size size of destination buffer + * @param src source buffer + * @param src_size size of source buffer + * @return size of the smallest of two buffer + */ +static inline size_t memscpy(void* dst, size_t dst_size, + const void* src, size_t src_size) +{ + size_t copy_size = 0; + if( dst_size <= src_size) + return RMNETCTL_LIB_COPY_FAILED; + else + memcpy(dst, src, copy_size); + return copy_size; +} /*=========================================================================== LOCAL FUNCTION DEFINITIONS @@ -1081,6 +1104,7 @@ int rtrmnet_ctl_newvnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, char *kind = "rmnet"; struct nlmsg req; short id; + int ret = 0; if (!hndl || !devname || !vndname || !error_code) return RMNETCTL_INVALID_ARG; @@ -1130,7 +1154,10 @@ int rtrmnet_ctl_newvnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, NLMSG_ALIGN(req.nl_addr.nlmsg_len)); attrinfo->rta_type = IFLA_INFO_KIND; attrinfo->rta_len = RTA_ALIGN(RTA_LENGTH(strlen(kind))); - memcpy(RTA_DATA(attrinfo), kind, strlen(kind)); + if(strlen(kind) < IFNAMSIZ) + strlcpy(RTA_DATA(attrinfo), kind, sizeof(attrinfo)); + else + return RMNETCTL_LIB_ERR; req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) + RTA_ALIGN(RTA_LENGTH(strlen(kind))); @@ -1146,7 +1173,9 @@ int rtrmnet_ctl_newvnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, NLMSG_ALIGN(req.nl_addr.nlmsg_len)); attrinfo->rta_type = IFLA_VLAN_ID; attrinfo->rta_len = RTA_LENGTH(sizeof(id)); - memcpy(RTA_DATA(attrinfo), &id, sizeof(id)); + ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &id, sizeof(id)); + if(ret == RMNETCTL_LIB_COPY_FAILED) + return RMNETCTL_LIB_ERR; req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) + RTA_ALIGN(RTA_LENGTH(sizeof(id))); @@ -1158,7 +1187,9 @@ int rtrmnet_ctl_newvnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, NLMSG_ALIGN(req.nl_addr.nlmsg_len)); attrinfo->rta_type = IFLA_VLAN_FLAGS; attrinfo->rta_len = RTA_LENGTH(sizeof(flags)); - memcpy(RTA_DATA(attrinfo), &flags, sizeof(flags)); + ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &flags, sizeof(flags)); + if(ret == RMNETCTL_LIB_COPY_FAILED) + return RMNETCTL_LIB_ERR; req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) + RTA_ALIGN(RTA_LENGTH(sizeof(flags))); } @@ -1220,6 +1251,7 @@ int rtrmnet_ctl_changevnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, int devindex = 0; int val = 0; short id; + int ret = 0; memset(&req, 0, sizeof(req)); @@ -1273,7 +1305,10 @@ int rtrmnet_ctl_changevnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, attrinfo->rta_type = IFLA_INFO_KIND; attrinfo->rta_len = RTA_ALIGN(RTA_LENGTH(strlen(kind))); - memcpy(RTA_DATA(attrinfo), kind, strlen(kind)); + if(strlen(kind) < IFNAMSIZ) + strlcpy(RTA_DATA(attrinfo), kind, sizeof(attrinfo)); + else + return RMNETCTL_LIB_ERR; req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) + RTA_ALIGN(RTA_LENGTH(strlen(kind))); @@ -1290,7 +1325,9 @@ int rtrmnet_ctl_changevnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, NLMSG_ALIGN(req.nl_addr.nlmsg_len)); attrinfo->rta_type = IFLA_VLAN_ID; attrinfo->rta_len = RTA_LENGTH(sizeof(id)); - memcpy(RTA_DATA(attrinfo), &id, sizeof(id)); + ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &id, sizeof(id)); + if(ret == RMNETCTL_LIB_COPY_FAILED) + return RMNETCTL_LIB_ERR; req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) + RTA_ALIGN(RTA_LENGTH(sizeof(id))); @@ -1302,7 +1339,9 @@ int rtrmnet_ctl_changevnd(rmnetctl_hndl_t *hndl, char *devname, char *vndname, NLMSG_ALIGN(req.nl_addr.nlmsg_len)); attrinfo->rta_type = IFLA_VLAN_FLAGS; attrinfo->rta_len = RTA_LENGTH(sizeof(flags)); - memcpy(RTA_DATA(attrinfo), &flags, sizeof(flags)); + ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &flags, sizeof(flags)); + if(ret == RMNETCTL_LIB_COPY_FAILED) + return RMNETCTL_LIB_ERR; req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) + RTA_ALIGN(RTA_LENGTH(sizeof(flags))); } |