From 9ac05d92b567d3f722c2e76ed0f4ca08f95e9ca2 Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Mon, 16 May 2016 21:42:43 -0400
Subject: [PATCH] Fix: illegal memory access in add_uri_to_consumer
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Found by Coverity:

CID 1243038 (#1 of 1): Buffer not null terminated
(BUFFER_SIZE_WARNING)15. buffer_size_warning: Calling strncpy with a
maximum size argument of 4096 bytes on destination array
consumer->dst.trace_path of size 4096 bytes might leave the destination
string unterminated.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
---
 src/bin/lttng-sessiond/cmd.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/bin/lttng-sessiond/cmd.c b/src/bin/lttng-sessiond/cmd.c
index d443d7926..1327e42e4 100644
--- a/src/bin/lttng-sessiond/cmd.c
+++ b/src/bin/lttng-sessiond/cmd.c
@@ -758,12 +758,15 @@ static int add_uri_to_consumer(struct consumer_output *consumer,
 		DBG2("Setting trace directory path from URI to %s", uri->dst.path);
 		memset(consumer->dst.trace_path, 0,
 				sizeof(consumer->dst.trace_path));
-		strncpy(consumer->dst.trace_path, uri->dst.path,
-				sizeof(consumer->dst.trace_path));
+		/* Explicit length checks for strcpy and strcat. */
+		if (strlen(uri->dst.path) + strlen(default_trace_dir)
+				>= sizeof(consumer->dst.trace_path)) {
+			ret = LTTNG_ERR_FATAL;
+			goto error;
+		}
+		strcpy(consumer->dst.trace_path, uri->dst.path);
 		/* Append default trace dir */
-		strncat(consumer->dst.trace_path, default_trace_dir,
-				sizeof(consumer->dst.trace_path) -
-				strlen(consumer->dst.trace_path) - 1);
+		strcat(consumer->dst.trace_path, default_trace_dir);
 		/* Flag consumer as local. */
 		consumer->type = CONSUMER_DST_LOCAL;
 		break;
-- 
2.34.1