Shannon Zhao <zhaoshengl...@huawei.com> writes:
> It's detected by coverity. As max of sockaddr_un.sun_path is
> sizeof(helper.sun_path), should check the length of source
> and use strncpy instead of strcpy.
>
> Signed-off-by: Shannon Zhao <zhaoshengl...@huawei.com>
> Signed-off-by: Shannon Zhao <shannon.z...@linaro.org>
> ---
> hw/9pfs/virtio-9p-proxy.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 59c7445..fb1ab7b 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
> int sockfd, size;
> struct sockaddr_un helper;
>
> + g_assert(strlen(path) < sizeof(helper.sun_path));
Since we are doing this from within Qemu, I did the below and folded
that into other sockadd_un.sun_path size checking patch.
diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 6bb191ee6ab8..71b6198bbd22 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
int sockfd, size;
struct sockaddr_un helper;
+ if (strlen(path) >= sizeof(helper.sun_path)) {
+ fprintf(stderr, "Socket name too large\n");
+ return -1;
+ }
sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sockfd < 0) {
fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
Let me know if that is ok for you.
> sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
> if (sockfd < 0) {
> fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
> return -1;
> }
> - strcpy(helper.sun_path, path);
> + strncpy(helper.sun_path, path, sizeof(helper.sun_path));
> helper.sun_family = AF_UNIX;
> size = strlen(helper.sun_path) + sizeof(helper.sun_family);
> if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
> --
> 1.8.3.1
