From 233b228c8d1fefaa04e33730bc67d7c010a3d4dd Mon Sep 17 00:00:00 2001
From: Francis Deslauriers <francis.deslauriers@efficios.com>
Date: Tue, 21 May 2019 15:06:25 -0400
Subject: [PATCH] Fix: flt.lttng-utils.debug-info: note name memcmp() overflow

Issue
=====
If the note section that we are currently parsing has a name longer
than the "GNU" string, the `memcmp()` call will read garbage after the
"GNU" string.

I witnessed this when the component was parsing a note section named
"stapsdt".

Solution
========
Make the section name length comparison explicit.

Drawbacks
=========
None.

Reported-by: Address Sanitizer - Global buffer overflow
Signed-off-by: Francis Deslauriers <francis.deslauriers@efficios.com>
Change-Id: I515f8c883ddbc1884045e86aecef700ee2111959
Reviewed-on: https://review.lttng.org/c/babeltrace/+/1322
Tested-by: jenkins
Reviewed-by: Philippe Proulx <eeppeliteloop@gmail.com>
---
 plugins/lttng-utils/debug-info/bin-info.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/plugins/lttng-utils/debug-info/bin-info.c b/plugins/lttng-utils/debug-info/bin-info.c
index f861b2ed..28046290 100644
--- a/plugins/lttng-utils/debug-info/bin-info.c
+++ b/plugins/lttng-utils/debug-info/bin-info.c
@@ -251,8 +251,18 @@ int is_build_id_note_section(uint8_t *buf)
 	 * - Note type
 	 */
 	name_sz = (uint32_t) *buf;
+
+	/*
+	 * Check the note name length. The name_sz field includes the
+	 * terminating null byte.
+	 */
+	if (name_sz != sizeof(BUILD_ID_NOTE_NAME)) {
+		goto invalid;
+	}
+
 	buf += sizeof(name_sz);
 
+	/* Ignore the note description size. */
 	buf += sizeof(desc_sz);
 
 	note_type = (uint32_t) *buf;
-- 
2.34.1