From 4c623481986a4697fe7bbb3f553b877d38650422 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Mon, 10 Apr 2017 10:29:15 +0200
Subject: gfapi: prevent off-by-one buffer overrun in glfs_sysrq()

Coverity found a potential buffer overrun in the strncat() usage for
logging the help message with glfs_sysrq(). This seems to be an
off-by-one mistake and should be addressed by reducing the initial size
of the remainder calculation.

Change-Id: Ide14add1cb28e5200d2c0df6b3a5154999ef3ca9
BUG: 789278
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: https://review.gluster.org/17024
Smoke: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Amar Tumballi <amarts@redhat.com>
---
 api/src/glfs.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'api')

diff --git a/api/src/glfs.c b/api/src/glfs.c
index bd59027236a..10af6c78e17 100644
--- a/api/src/glfs.c
+++ b/api/src/glfs.c
@@ -1477,7 +1477,6 @@ pub_glfs_sysrq (struct glfs *fs, char sysrq)
         glusterfs_ctx_t  *ctx = NULL;
         int               ret = 0;
         char              msg[1024] = {0,}; /* should not exceed 1024 chars */
-        size_t            rem = sizeof (msg);
 
         if (!fs || !fs->ctx) {
                 ret = -1;
@@ -1490,12 +1489,13 @@ pub_glfs_sysrq (struct glfs *fs, char sysrq)
         switch (sysrq) {
         case GLFS_SYSRQ_HELP:
         {
-                struct glfs_sysrq_help *usage;
+                struct glfs_sysrq_help *usage = NULL;
 
                 for (usage = glfs_sysrq_help; usage->sysrq; usage++) {
-                        strncat (msg, usage->msg, rem);
-                        rem -= strlen (usage->msg);
-                        strncat (msg, " ", rem--);
+                        snprintf (msg + strlen (msg), /* append to msg */
+                                  sizeof (msg) - strlen (msg) - 2,
+                                  /* - 2 for the " " + terminating \0 */
+                                  " %s", usage->msg);
                 }
 
                 /* not really an 'error', but make sure it gets logged */
-- 
cgit