Gitiles
Code Review Sign In
review.blissroms.org / platform_vendor_qcom_opensource_dataservices / 02ee4eabb80c8621ae55d08be91777ac949680d1^! / .
commit02ee4eabb80c8621ae55d08be91777ac949680d1[log] [tgz]
authorAvinash Thakur <avinasht@codeaurora.org>Thu Mar 22 17:50:32 2018 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>Sun Apr 29 23:25:34 2018 -0700
treef0adffee6a4e901295352c44259f5fe4223b0d2f
parent1ecd2d8bdee56c0e99550b0f644937d71b7fef01 [diff]
librmnetctl: kw fixes

Using a safer implementation of memcpy
to avoid buffer overflow

CRs-Fixed: 2210993

Change-Id: I486f49ce96c27bfd5010cc9c4e7ace6eb606f1fc
Signed-off-by: "Avinash Thakur <avinasht@codeaurora.org>"
Acked-by: Kaustubh Pandey <kapandey@qti.qualcomm.com>

diff --git a/rmnetctl/inc/librmnetctl.h b/rmnetctl/inc/librmnetctl.h
index 3d622bf..4014ac2 100644
--- a/rmnetctl/inc/librmnetctl.h
+++ b/rmnetctl/inc/librmnetctl.h

@@ -39,6 +39,8 @@
 #ifndef LIBRMNETCTL_H
 #define LIBRMNETCTL_H
 
+/* RMNET API failed to copy*/
+#define RMNETCTL_LIB_COPY_FAILED -1
 /* RMNET API succeeded */
 #define RMNETCTL_SUCCESS 0
 /* RMNET API encountered an error while executing within the library. Check the

diff --git a/rmnetctl/src/librmnetctl.c b/rmnetctl/src/librmnetctl.c
index 731681a..cf237ba 100644
--- a/rmnetctl/src/librmnetctl.c
+++ b/rmnetctl/src/librmnetctl.c

@@ -92,7 +92,30 @@
 	char data[500];
 };
 
+/*
+ * Helper functions
+ */
+/*
+ * @brief helper function to implement a secure memcpy
+ * @details take source and destination buffer size into
+ *          considerations before copying
+ * @param dst destination buffer
+ * @param dst_size size of destination buffer
+ * @param src source buffer
+ * @param src_size size of source buffer
+ * @return size of the smallest of two buffer
+ */
+static inline size_t memscpy(void* dst, size_t dst_size,
+        const void* src, size_t src_size)
+{
+    size_t copy_size = 0;
+    if( dst_size <= src_size)
+        return  RMNETCTL_LIB_COPY_FAILED;
+    else
+        memcpy(dst, src, copy_size);
 
+    return copy_size;
+}
 
 /*===========================================================================
 			LOCAL FUNCTION DEFINITIONS
@@ -1081,6 +1104,7 @@
 	char *kind = "rmnet";
 	struct nlmsg req;
 	short id;
+	int ret = 0;
 
 	if (!hndl || !devname || !vndname || !error_code)
 		return RMNETCTL_INVALID_ARG;
@@ -1130,7 +1154,10 @@
 				     NLMSG_ALIGN(req.nl_addr.nlmsg_len));
 	attrinfo->rta_type =  IFLA_INFO_KIND;
 	attrinfo->rta_len = RTA_ALIGN(RTA_LENGTH(strlen(kind)));
-	memcpy(RTA_DATA(attrinfo), kind, strlen(kind));
+	if(strlen(kind) < IFNAMSIZ)
+		strlcpy(RTA_DATA(attrinfo), kind, sizeof(attrinfo));
+	else
+		return RMNETCTL_LIB_ERR;
 	req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) +
 				RTA_ALIGN(RTA_LENGTH(strlen(kind)));
 
@@ -1146,7 +1173,9 @@
 				     NLMSG_ALIGN(req.nl_addr.nlmsg_len));
 	attrinfo->rta_type =  IFLA_VLAN_ID;
 	attrinfo->rta_len = RTA_LENGTH(sizeof(id));
-	memcpy(RTA_DATA(attrinfo), &id, sizeof(id));
+	ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &id, sizeof(id));
+	if(ret == RMNETCTL_LIB_COPY_FAILED)
+		return RMNETCTL_LIB_ERR;
 	req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) +
 				RTA_ALIGN(RTA_LENGTH(sizeof(id)));
 
@@ -1158,7 +1187,9 @@
 					     NLMSG_ALIGN(req.nl_addr.nlmsg_len));
 		attrinfo->rta_type =  IFLA_VLAN_FLAGS;
 		attrinfo->rta_len = RTA_LENGTH(sizeof(flags));
-		memcpy(RTA_DATA(attrinfo), &flags, sizeof(flags));
+		ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &flags, sizeof(flags));
+		if(ret == RMNETCTL_LIB_COPY_FAILED)
+			return RMNETCTL_LIB_ERR;
 		req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) +
 					RTA_ALIGN(RTA_LENGTH(sizeof(flags)));
 	}
@@ -1220,6 +1251,7 @@
 	int devindex = 0;
 	int val = 0;
 	short id;
+	int ret = 0;
 
 	memset(&req, 0, sizeof(req));
 
@@ -1273,7 +1305,10 @@
 
 	attrinfo->rta_type =  IFLA_INFO_KIND;
 	attrinfo->rta_len = RTA_ALIGN(RTA_LENGTH(strlen(kind)));
-	memcpy(RTA_DATA(attrinfo), kind, strlen(kind));
+	if(strlen(kind) < IFNAMSIZ)
+		strlcpy(RTA_DATA(attrinfo), kind, sizeof(attrinfo));
+	else
+		return RMNETCTL_LIB_ERR;
 	req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) +
 				RTA_ALIGN(RTA_LENGTH(strlen(kind)));
 
@@ -1290,7 +1325,9 @@
 				     NLMSG_ALIGN(req.nl_addr.nlmsg_len));
 	attrinfo->rta_type =  IFLA_VLAN_ID;
 	attrinfo->rta_len = RTA_LENGTH(sizeof(id));
-	memcpy(RTA_DATA(attrinfo), &id, sizeof(id));
+	ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &id, sizeof(id));
+	if(ret == RMNETCTL_LIB_COPY_FAILED)
+		return RMNETCTL_LIB_ERR;
 	req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) +
 				RTA_ALIGN(RTA_LENGTH(sizeof(id)));
 
@@ -1302,7 +1339,9 @@
 					     NLMSG_ALIGN(req.nl_addr.nlmsg_len));
 		attrinfo->rta_type =  IFLA_VLAN_FLAGS;
 		attrinfo->rta_len = RTA_LENGTH(sizeof(flags));
-		memcpy(RTA_DATA(attrinfo), &flags, sizeof(flags));
+		ret = memscpy(RTA_DATA(attrinfo), sizeof(req.data), &flags, sizeof(flags));
+		if(ret == RMNETCTL_LIB_COPY_FAILED)
+			return RMNETCTL_LIB_ERR;
 		req.nl_addr.nlmsg_len = NLMSG_ALIGN(req.nl_addr.nlmsg_len) +
 					RTA_ALIGN(RTA_LENGTH(sizeof(flags)));
 	}