From: Dwight Engen <dwight.engen@oracle.com>
Date: Tue, 29 Oct 2013 13:24:29 +0000 (-0400)
Subject: coverity: ifr_name buffer not NULL terminated
X-Git-Tag: lxc-1.0.0.alpha3~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5da6aa8c717f11f99a1e169cb5df47db7656f662;p=thirdparty%2Flxc.git

coverity: ifr_name buffer not NULL terminated

The kernel (net/core/dev_ioctl.c:dev_ioctl()) is going to NULL terminate
this name after the copy-in of the ifr, so even though this is a fixed
sized array the last byte isn't usable as part of the name. All the ioctls
we're using go through this code path.

Use the ifr name in the DEBUG message in case it was possibly truncated.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index f579c17db..50dc4262e 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2059,6 +2059,7 @@ static int setup_hw_addr(char *hwaddr, const char *ifname)
 	}
 
 	memcpy(ifr.ifr_name, ifname, IFNAMSIZ);
+	ifr.ifr_name[IFNAMSIZ-1] = '\0';
 	memcpy((char *) &ifr.ifr_hwaddr, (char *) &sockaddr, sizeof(sockaddr));
 
 	process_lock();
@@ -2076,7 +2077,7 @@ static int setup_hw_addr(char *hwaddr, const char *ifname)
 	if (ret)
 		ERROR("ioctl failure : %s", strerror(errno));
 
-	DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifname);
+	DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifr.ifr_name);
 
 	return ret;
 }
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index 6c3a09e98..bc1c26881 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -473,7 +473,8 @@ int lxc_bridge_attach(const char *bridge, const char *ifname)
 	if (fd < 0)
 		return -errno;
 
-	strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+	strncpy(ifr.ifr_name, bridge, IFNAMSIZ-1);
+	ifr.ifr_name[IFNAMSIZ-1] = '\0';
 	ifr.ifr_ifindex = index;
 	err = ioctl(fd, SIOCBRADDIF, &ifr);
 	close(fd);
diff --git a/src/lxc/network.c b/src/lxc/network.c
index 09ca8f79c..c30287e9b 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -1009,7 +1009,8 @@ int lxc_bridge_attach(const char *bridge, const char *ifname)
 	if (fd < 0)
 		return -errno;
 
-	strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+	strncpy(ifr.ifr_name, bridge, IFNAMSIZ-1);
+	ifr.ifr_name[IFNAMSIZ-1] = '\0';
 	ifr.ifr_ifindex = index;
 	err = ioctl(fd, SIOCBRADDIF, &ifr);
 	process_lock();