[lxc-devel] [PATCH] coverity: ifr_name buffer not NULL terminated

Dwight Engen dwight.engen at oracle.com
Tue Oct 29 13:24:29 UTC 2013 

The kernel (net/core/dev_ioctl.c:dev_ioctl()) is going to NULL terminate
this name after the copy-in of the ifr, so even though this is a fixed
sized array the last byte isn't usable as part of the name. All the ioctls
we're using go through this code path.

Use the ifr name in the DEBUG message in case it was possibly truncated.

Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
---
 src/lxc/conf.c         | 3 ++-
 src/lxc/lxc_user_nic.c | 3 ++-
 src/lxc/network.c      | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index f579c17..50dc426 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2059,6 +2059,7 @@ static int setup_hw_addr(char *hwaddr, const char *ifname)
 	}
 
 	memcpy(ifr.ifr_name, ifname, IFNAMSIZ);
+	ifr.ifr_name[IFNAMSIZ-1] = '\0';
 	memcpy((char *) &ifr.ifr_hwaddr, (char *) &sockaddr, sizeof(sockaddr));
 
 	process_lock();
@@ -2076,7 +2077,7 @@ static int setup_hw_addr(char *hwaddr, const char *ifname)
 	if (ret)
 		ERROR("ioctl failure : %s", strerror(errno));
 
-	DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifname);
+	DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifr.ifr_name);
 
 	return ret;
 }
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index 6c3a09e..bc1c268 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -473,7 +473,8 @@ int lxc_bridge_attach(const char *bridge, const char *ifname)
 	if (fd < 0)
 		return -errno;
 
-	strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+	strncpy(ifr.ifr_name, bridge, IFNAMSIZ-1);
+	ifr.ifr_name[IFNAMSIZ-1] = '\0';
 	ifr.ifr_ifindex = index;
 	err = ioctl(fd, SIOCBRADDIF, &ifr);
 	close(fd);
diff --git a/src/lxc/network.c b/src/lxc/network.c
index 09ca8f7..c30287e 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -1009,7 +1009,8 @@ int lxc_bridge_attach(const char *bridge, const char *ifname)
 	if (fd < 0)
 		return -errno;
 
-	strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+	strncpy(ifr.ifr_name, bridge, IFNAMSIZ-1);
+	ifr.ifr_name[IFNAMSIZ-1] = '\0';
 	ifr.ifr_ifindex = index;
 	err = ioctl(fd, SIOCBRADDIF, &ifr);
 	process_lock();
-- 
1.8.3.1

More information about the lxc-devel mailing list