Avoid rxi_tracename overflow

When processing the -trace option for the vlserver (and a couple of other places), we can easily overflow the rxi_tracename array if the given string is too big. While the way this global setting works in general isn't the best, at least for now just prevent the buffer overflow by doing a simple bounds check with strlcpy. Change-Id: I41faec8d2aa09f871a69d7db1643f1117aa5618c Reviewed-on: https://gerrit.openafs.org/14753 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
2025-01-18 15:00:12 +00:00 · 2021-08-11 17:33:05 -05:00 · 2021-08-11 17:33:05 -05:00 · a794383f5e
commit a794383f5e
parent 9d7b94493c
4 changed files with 23 additions and 5 deletions
--- a/src/rx/rx_trace.c
+++ b/src/rx/rx_trace.c
@ -150,7 +150,11 @@ main(int argc, char **argv)
    argc--;
    while (argc && **argv == '-') {
 	if (strcmp(*argv, "-trace") == 0) {
-	    strcpy(rxi_tracename, *(++argv));
+	    if (strlcpy(rxi_tracename, *(++argv),
+			sizeof(rxi_tracename)) >= sizeof(rxi_tracename)) {
+		fprintf(stderr, "-trace argument too long\n");
+		exit(1);
+	    }
 	    argc--;
 	} else {
 	    err++;
--- a/src/rx/test/testserver.c
+++ b/src/rx/test/testserver.c
@ -94,7 +94,12 @@ main(int argc, char **argv)
 #if defined(RXDEBUG) && !defined(AFS_NT40_ENV)
 	else if (strcmp(*argv, "-trace") == 0) {
 	    extern char rxi_tracename[80];
-	    strcpy(rxi_tracename, *(++argv)), argc--;
+	    argv++;
+	    argc--;
+	    if (strlcpy(rxi_tracename, *argv,
+			sizeof(rxi_tracename)) >= sizeof(rxi_tracename)) {
+		Quit("-trace argument too long");
+	    }
 	}
 #endif
 	else if (strcmp(*argv, "-logstdout") == 0)
--- a/src/rxkad/test/stress.c
+++ b/src/rxkad/test/stress.c
@ -13,6 +13,7 @@
 #include <afs/param.h>


+#include <roken.h>
 #include <afs/stds.h>
 #include <sys/types.h>
 #ifdef AFS_NT40_ENV
@ -145,8 +146,12 @@ CommandProc(struct cmd_syndesc *as, void *arock)

    if (startServer) {
 	if (as->parms[aTRACE].items) {
-	    extern char rxi_tracename[];
-	    strcpy(rxi_tracename, as->parms[aTRACE].items->data);
+	    extern char rxi_tracename[80];
+	    if (strlcpy(rxi_tracename, as->parms[aTRACE].items->data,
+			sizeof(rxi_tracename)) >= sizeof(rxi_tracename)) {
+		afs_com_err(whoami, 0, "-trace argument too long");
+		return ENAMETOOLONG;
+	    }
 	}

 	/* These options not compatible with -server */
--- a/src/vlserver/vlserver.c
+++ b/src/vlserver/vlserver.c
@ -307,7 +307,11 @@ main(int argc, char **argv)
    cmd_OptionAsFlag(opts, OPT_smallmem, &smallMem);
    if (cmd_OptionAsString(opts, OPT_trace, &optstring) == 0) {
 	extern char rxi_tracename[80];
-	strcpy(rxi_tracename, optstring);
+	if (strlcpy(rxi_tracename, optstring,
+		    sizeof(rxi_tracename)) >= sizeof(rxi_tracename)) {
+	    fprintf(stderr, "-trace argument too long\n");
+	    return -1;
+	}
 	free(optstring);
 	optstring = NULL;
    }