Fix: out of bounds access of kernel channel padding

[lttng-tools.git] / src / common / kernel-ctl / kernel-ctl.c

diff --git a/src/common/kernel-ctl/kernel-ctl.c b/src/common/kernel-ctl/kernel-ctl.c
index e4a268ed48becd506ddbaf955deeacd3ef6d5373..b45efd0efa1dc7e6b5e8520419d9f7f6dff99ebd 100644 (file)
--- a/src/common/kernel-ctl/kernel-ctl.c
+++ b/src/common/kernel-ctl/kernel-ctl.c
@@ -82,7 +82,13 @@ int kernctl_open_metadata(int fd, struct lttng_channel_attr *chops)
                old_channel.switch_timer_interval = chops->switch_timer_interval;
                old_channel.read_timer_interval = chops->read_timer_interval;
                old_channel.output = chops->output;
-               memcpy(old_channel.padding, chops->padding, sizeof(old_channel.padding));
+
+               memset(old_channel.padding, 0, sizeof(old_channel.padding));
+               /*
+                * The new channel padding is smaller than the old ABI so we use the
+                * new ABI padding size for the memcpy.
+                */
+               memcpy(old_channel.padding, chops->padding, sizeof(chops->padding));
 
                return ioctl(fd, LTTNG_KERNEL_OLD_METADATA, &old_channel);
        }
@@ -111,7 +117,13 @@ int kernctl_create_channel(int fd, struct lttng_channel_attr *chops)
                old_channel.switch_timer_interval = chops->switch_timer_interval;
                old_channel.read_timer_interval = chops->read_timer_interval;
                old_channel.output = chops->output;
-               memcpy(old_channel.padding, chops->padding, sizeof(old_channel.padding));
+
+               memset(old_channel.padding, 0, sizeof(old_channel.padding));
+               /*
+                * The new channel padding is smaller than the old ABI so we use the
+                * new ABI padding size for the memcpy.
+                */
+               memcpy(old_channel.padding, chops->padding, sizeof(chops->padding));
 
                return ioctl(fd, LTTNG_KERNEL_OLD_CHANNEL, &old_channel);
        }