ndctl icon indicating copy to clipboard operation
ndctl copied to clipboard
verified publisher icon pmem

Using the secure function snprintf

Open foolstrong opened this issue 3 years ago • 1 comments

In the source code, a large number of functions use sprintf to process strings, which may cause overflow risks. You are advised to use snprintf to ensure that strings no out of the bounds.

foolstrong avatar Aug 23 '22 12:08 foolstrong

for example

static void *add_dax_dev(void *parent, int id, const char *daxdev_base)
{
	 const char *devname = devpath_to_devname(daxdev_base);
	 char *path = calloc(1, strlen(daxdev_base) + 100);
	 struct daxctl_region *region = parent;
	 struct daxctl_ctx *ctx = region->ctx;
	 struct daxctl_dev *dev, *dev_dup;
	 char buf[SYSFS_ATTR_SIZE];
	 struct stat st;

	if (!path)
		return NULL;
	dbg(ctx, "%s: base: \'%s\'\n", __func__, daxdev_base);

	dev = calloc(1, sizeof(*dev));
	if (!dev)
		goto err_dev;
	dev->id = id;
	dev->region = region;

	sprintf(path, "/dev/%s", devname);
	if (stat(path, &st) < 0)
		goto err_read;
	dev->major = major(st.st_rdev);
	dev->minor = minor(st.st_rdev);

	sprintf(path, "%s/resource", daxdev_base);
	if (sysfs_read_attr(ctx, path, buf) == 0)
		dev->resource = strtoull(buf, NULL, 0);
	else
		dev->resource = iomem_get_dev_resource(ctx, daxdev_base);

	sprintf(path, "%s/size", daxdev_base);
	if (sysfs_read_attr(ctx, path, buf) < 0)
		goto err_read;
	dev->size = strtoull(buf, NULL, 0);

	/* Device align attribute is only available in v5.10 or up */
	sprintf(path, "%s/align", daxdev_base);
	if (!sysfs_read_attr(ctx, path, buf))
		dev->align = strtoull(buf, NULL, 0);
	else
		dev->align = 0;

	dev->dev_path = strdup(daxdev_base);
	if (!dev->dev_path)
		goto err_read;

	dev->dev_buf = calloc(1, strlen(daxdev_base) + 50);
	if (!dev->dev_buf)
		goto err_read;
	dev->buf_len = strlen(daxdev_base) + 50;

	sprintf(path, "%s/target_node", daxdev_base);
	if (sysfs_read_attr(ctx, path, buf) == 0)
		dev->target_node = strtol(buf, NULL, 0);
	else
		dev->target_node = -1;

	daxctl_dev_foreach(region, dev_dup)
		if (dev_dup->id == dev->id) {
			free_dev(dev, NULL);
			free(path);
			return dev_dup;
		}
	dev->num_mappings = -1;
	list_head_init(&dev->mappings);
	list_add(&region->devices, &dev->list);
	free(path);
	return dev;
 err_read:
	free(dev->dev_buf);
	free(dev->dev_path);
	free(dev);
 err_dev:
	free(path);
	return NULL;
}

foolstrong avatar Aug 23 '22 12:08 foolstrong

ok

foolstrong avatar Mar 28 '23 12:03 foolstrong