From 25fc2530f7ee6d7267e2ccc1b75a47a3ae539dff Mon Sep 17 00:00:00 2001 From: karthik-us Date: Thu, 7 Oct 2021 21:29:27 +0530 Subject: [PATCH 605/610] Coverity: Fix copy into fixed size buffer (CID: 1325542) Problem: In __mnt3_fresh_lookup() mres->resolveloc.path is being copied into a fixed size string mres->remainingdir, with strncpy without checking the size of the source string. This could lead to string overflow. Fix: Copy only till the destination string length and check whether the soruce string overflows. If so log an error message and return. > Upstream patch: https://github.com/gluster/glusterfs/pull/2474/ > Change-Id: I26dd0653d2636c667ad4e356d12d3d51956c77c3 > Signed-off-by: karthik-us > Updates: gluster#1060 BUG: 1997447 Change-Id: I26dd0653d2636c667ad4e356d12d3d51956c77c3 Signed-off-by: karthik-us Reviewed-on: https://code.engineering.redhat.com/gerrit/c/rhs-glusterfs/+/280106 Tested-by: RHGS Build Bot Reviewed-by: Sunil Kumar Heggodu Gopala Acharya --- xlators/nfs/server/src/mount3.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/xlators/nfs/server/src/mount3.c b/xlators/nfs/server/src/mount3.c index 734453c..3951b9e 100644 --- a/xlators/nfs/server/src/mount3.c +++ b/xlators/nfs/server/src/mount3.c @@ -1104,8 +1104,13 @@ __mnt3_fresh_lookup(mnt3_resolve_t *mres) { inode_unlink(mres->resolveloc.inode, mres->resolveloc.parent, mres->resolveloc.name); - strncpy(mres->remainingdir, mres->resolveloc.path, - strlen(mres->resolveloc.path)); + if (snprintf(mres->remainingdir, sizeof(mres->remainingdir), "%s", + mres->resolveloc.path) >= sizeof(mres->remainingdir)) { + gf_msg(GF_MNT, GF_LOG_ERROR, EFAULT, NFS_MSG_RESOLVE_INODE_FAIL, + "Failed to copy resolve path: %s", mres->resolveloc.path); + nfs_loc_wipe(&mres->resolveloc); + return -EFAULT; + } nfs_loc_wipe(&mres->resolveloc); return __mnt3_resolve_subdir(mres); } -- 1.8.3.1