Fix: flt.lttng-utils.debug-info: note name memcmp() overflow

Issue
=====
If the note section that we are currently parsing has a name longer
than the "GNU" string, the `memcmp()` call will read garbage after the
"GNU" string.

I witnessed this when the component was parsing a note section named
"stapsdt".

Solution
========
Make the section name length comparison explicit.

Drawbacks
=========
None.

Reported-by: Address Sanitizer - Global buffer overflow
Signed-off-by: Francis Deslauriers <francis.deslauriers@efficios.com>
Change-Id: I515f8c883ddbc1884045e86aecef700ee2111959
Reviewed-on: https://review.lttng.org/c/babeltrace/+/1322
Tested-by: jenkins
Reviewed-by: Philippe Proulx <eeppeliteloop@gmail.com>

diff --git a/plugins/lttng-utils/debug-info/bin-info.c b/plugins/lttng-utils/debug-info/bin-info.c
index f861b2ed78966aeb56118bf583dc4a85884156d3..280462906b8192cd8e98ea6f84eb1adde02cea80 100644 (file)
--- a/plugins/lttng-utils/debug-info/bin-info.c
+++ b/plugins/lttng-utils/debug-info/bin-info.c
@@ -251,8 +251,18 @@ int is_build_id_note_section(uint8_t *buf)
         * - Note type
         */
        name_sz = (uint32_t) *buf;
+
+       /*
+        * Check the note name length. The name_sz field includes the
+        * terminating null byte.
+        */
+       if (name_sz != sizeof(BUILD_ID_NOTE_NAME)) {
+               goto invalid;
+       }
+
        buf += sizeof(name_sz);
 
+       /* Ignore the note description size. */
        buf += sizeof(desc_sz);
 
        note_type = (uint32_t) *buf;