Fix misc. warnings related to strncpy usage.

For few files bundled in open-vm-tools package, one of the code
scanners reported the following warning.

" Easily used incorrectly; doesn't always \0-terminate or check for
invalid pointers"

Checked the files and modified the code to pass 'sizeof dest - 1'
as the third argument to avoid any warnings.

In one of the VGAUTH library functions, added a check for the input buffer
size and return a valid error.

diff --git a/open-vm-tools/lib/include/vmci_sockets.h b/open-vm-tools/lib/include/vmci_sockets.h
index 0171cdbe6306166ea39181cffab2d218c6f934ca..3b2d2441c4330f425e5b2fb5adefdab9c9a96aeb 100644 (file)
--- a/open-vm-tools/lib/include/vmci_sockets.h
+++ b/open-vm-tools/lib/include/vmci_sockets.h
@@ -879,7 +879,8 @@ struct uuid_2_cid {
          }
       }
 
-      strncpy(io.u2c_uuid_string, uuidString, sizeof io.u2c_uuid_string);
+      strncpy(io.u2c_uuid_string, uuidString, sizeof io.u2c_uuid_string - 1);
+      io.u2c_uuid_string[sizeof io.u2c_uuid_string - 1] = '\0';
       if (ioctl(fd, VMCI_SOCKETS_UUID_2_CID, &io) < 0) {
          io.u2c_context_id = VMADDR_CID_ANY;
       }

diff --git a/open-vm-tools/modules/solaris/vmxnet/vmxnet.c b/open-vm-tools/modules/solaris/vmxnet/vmxnet.c
index 243c725752a81eb2e2634c55388886160640615a..d8b8c38b3be7eb9b745bba247a03090d01ae1661 100644 (file)
--- a/open-vm-tools/modules/solaris/vmxnet/vmxnet.c
+++ b/open-vm-tools/modules/solaris/vmxnet/vmxnet.c
@@ -2063,7 +2063,7 @@ map_space_found:
     */
    macInfo = gld_mac_alloc(dip);
    if (!macInfo) {
-      cmn_err(CE_WARN, "%s%d: Vxn_Attach: gld_mac_alloc failed", 
+      cmn_err(CE_WARN, "%s%d: Vxn_Attach: gld_mac_alloc failed",
               drvName, unit);
       goto err_gld_mac_alloc;
    }
@@ -2075,12 +2075,16 @@ map_space_found:
     * Get interrupt cookie
     */
    if (ddi_get_iblock_cookie(dip, 0, &dp->iblockCookie) != DDI_SUCCESS) {
-      cmn_err(CE_WARN, "%s%d: Vxn_Attach: ddi_get_iblock_cookie failed", 
+      cmn_err(CE_WARN, "%s%d: Vxn_Attach: ddi_get_iblock_cookie failed",
               drvName, unit);
       goto err_get_iblock_cookie;
    }
 
-   strncpy(dp->drvName, drvName, SOLVMXNET_MAXNAME);
+   /*
+    * kmem_zalloc above memsets drvName to 0. Use array size - 1 below
+    * to ensure NUL termination.
+    */
+   strncpy(dp->drvName, drvName, sizeof dp->drvName - 1);
    dp->unit = unit;
    dp->dip = dip;
    dp->macInfo = macInfo;

diff --git a/open-vm-tools/vgauth/lib/comm.c b/open-vm-tools/vgauth/lib/comm.c
index 6055c569b95041a11741a1c70cd74594f99ec488..15a4c658efc85e0f3650dbbd63960ee08218e39f 100644 (file)
--- a/open-vm-tools/vgauth/lib/comm.c
+++ b/open-vm-tools/vgauth/lib/comm.c
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved.
+ * Copyright (C) 2011-2016,2019 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -453,12 +453,22 @@ VGAuthError
 VGAuthComm_SetTestBufferInput(VGAuthContext *ctx,
                               const char *buffer)
 {
-   VGAuthError err = VGAUTH_E_OK;
+   VGAuthError err;
+   size_t bufLen;
 
    ctx->comm.bufTest = TRUE;
    ctx->comm.bufLoc = 0;
-   ctx->comm.bufLen = strlen(buffer);
-   strncpy(ctx->comm.testBuffer, buffer, ctx->comm.bufLen + 1);
+   bufLen = strlen(buffer);
+
+   if (bufLen > sizeof ctx->comm.testBuffer - 1) {
+      fprintf(stderr, "Test buffer too large.\n");
+      err = VGAUTH_E_INVALID_ARGUMENT;
+   } else {
+      ctx->comm.bufLen = bufLen;
+      strncpy(ctx->comm.testBuffer, buffer, sizeof ctx->comm.testBuffer - 1);
+      ctx->comm.testBuffer[sizeof ctx->comm.testBuffer - 1] = '\0';
+      err = VGAUTH_E_OK;
+   }
 
    return err;
 }