From cfaaf34550c5ea92ee9b74d969a0c56c826cd020 Mon Sep 17 00:00:00 2001

From: Sebastien GODARD <sysstat@users.noreply.github.com>

Date: Thu, 11 Aug 2016 09:13:57 +0200

Subject: [PATCH] Replace strcpy() with strncpy() to avoid buffer overflows

Using strcpy() is not safe since destination buffer may overflow, for

example if the string being copied doesn't contain a terminator.

This patch replaces strcpy() with strncpy() to make sure no buffer

overflows happen.

Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>

(cherry picked from commit 5aa69b67f03c00eded746c819eaa5b74a021ca1b)

---

 cifsiostat.c | 3 ++-

 ioconf.c     | 6 ++++--

 iostat.c     | 6 ++++--

 rd_stats.c   | 5 +++--

 sa_common.c  | 8 ++++----

 5 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/cifsiostat.c b/cifsiostat.c

index 09b60b2..bca6576 100644

--- a/cifsiostat.c

+++ b/cifsiostat.c

@@ -345,7 +345,8 @@ void read_cifs_stat(int curr)

 			else {

 				start = 1;

 			}

-			strcpy(cifs_name, name_tmp);

+			strncpy(cifs_name, name_tmp, MAX_NAME_LEN);

+			cifs_name[MAX_NAME_LEN - 1] = '\0';

 		}

 		else {

 			if (!strncmp(line, "Reads:", 6)) {

diff --git a/ioconf.c b/ioconf.c

index 0011320..83008b1 100644

--- a/ioconf.c

+++ b/ioconf.c

@@ -282,7 +282,8 @@ int ioc_init(void)

 			 * exception info

 			 */

 			xblkp->ext_minor = iocp->ctrlno;

-			strcpy(xblkp->ext_name, blkp->name);

+			strncpy(xblkp->ext_name, blkp->name, IOC_NAMELEN + 1);

+			xblkp->ext_name[IOC_NAMELEN] = '\0';

 			xblkp->ext = 1;

 			continue;

 		}

@@ -393,7 +394,8 @@ char *ioc_name(unsigned int major, unsigned int minor)

 	/* Is this an extension record? */

 	if (p->blkp->ext && (p->blkp->ext_minor == minor)) {

-		strcpy(name, p->blkp->ext_name);

+		strncpy(name, p->blkp->ext_name, IOC_DEVLEN + 1);

+		name[IOC_DEVLEN] = '\0';

 		return (name);

 	}

diff --git a/iostat.c b/iostat.c

index 308a9af..e49daa0 100644

--- a/iostat.c

+++ b/iostat.c

@@ -366,7 +366,8 @@ void presave_device_list(void)

 		/* Now save devices and group names in the io_hdr_stats structures */

 		for (i = 0; (i < dlist_idx) && (i < iodev_nr); i++, shi++, sdli++) {

-			strcpy(shi->name, sdli->dev_name);

+			strncpy(shi->name, sdli->dev_name, MAX_NAME_LEN);

+			shi->name[MAX_NAME_LEN - 1] = '\0';

 			shi->used = TRUE;

 			if (shi->name[0] == ' ') {

 				/* Current device name is in fact the name of a group */

@@ -385,7 +386,8 @@ void presave_device_list(void)

 		 * included in that group.

 		 */

 		shi += iodev_nr - 1;

-		strcpy(shi->name, group_name);

+		strncpy(shi->name, group_name, MAX_NAME_LEN);

+		shi->name[MAX_NAME_LEN - 1] = '\0';

 		shi->used = TRUE;

 		shi->status = DISK_GROUP;

 	}

diff --git a/rd_stats.c b/rd_stats.c

index f288eb8..6aa8698 100644

--- a/rd_stats.c

+++ b/rd_stats.c

@@ -1915,7 +1915,7 @@ void read_bus_usb_dev(struct stats_pwr_usb *st_pwr_usb, int nbr)

 void read_filesystem(struct stats_filesystem *st_filesystem, int nbr)

 {

 	FILE *fp;

-	char line[512], fs_name[MAX_FS_LEN], mountp[256];

+	char line[512], fs_name[128], mountp[256];

 	int fs = 0;

 	struct stats_filesystem *st_filesystem_i;

 	struct statvfs buf;

@@ -1955,7 +1955,8 @@ void read_filesystem(struct stats_filesystem *st_filesystem, int nbr)

 			st_filesystem_i->f_bavail = buf.f_bavail * buf.f_frsize;

 			st_filesystem_i->f_files  = buf.f_files;

 			st_filesystem_i->f_ffree  = buf.f_ffree;

-			strcpy(st_filesystem_i->fs_name, fs_name);

+			strncpy(st_filesystem_i->fs_name, fs_name, MAX_FS_LEN);

+			st_filesystem_i->fs_name[MAX_FS_LEN - 1] = '\0';

 			strncpy(st_filesystem_i->mountp, mountp, MAX_FS_LEN);

 			st_filesystem_i->mountp[MAX_FS_LEN - 1] = '\0';

 		}

diff --git a/sa_common.c b/sa_common.c

index 2206e9f..df7d38d 100644

--- a/sa_common.c

+++ b/sa_common.c

@@ -549,7 +549,7 @@ unsigned int check_net_dev_reg(struct activity *a, int curr, int ref,

 					 * actually unregistered.

 					 */

 					memset(sndp, 0, STATS_NET_DEV_SIZE);

-					strcpy(sndp->interface, sndc->interface);

+					strncpy(sndp->interface, sndc->interface, MAX_IFACE_LEN - 1);

 				}

 			}

 			return index;

@@ -574,7 +574,7 @@ unsigned int check_net_dev_reg(struct activity *a, int curr, int ref,

 	sndp = (struct stats_net_dev *) a->buf[ref] + index;

 	/* Since the name is not the same, reset all the structure */

 	memset(sndp, 0, STATS_NET_DEV_SIZE);

-	strcpy(sndp->interface, sndc->interface);

+	strncpy(sndp->interface, sndc->interface, MAX_IFACE_LEN - 1);

 	return  index;

 }

@@ -625,7 +625,7 @@ unsigned int check_net_edev_reg(struct activity *a, int curr, int ref,

 				 * actually unregistered.

 				 */

 				memset(snedp, 0, STATS_NET_EDEV_SIZE);

-				strcpy(snedp->interface, snedc->interface);

+				strncpy(snedp->interface, snedc->interface, MAX_IFACE_LEN - 1);

 			}

 			return index;

 		}

@@ -649,7 +649,7 @@ unsigned int check_net_edev_reg(struct activity *a, int curr, int ref,

 	snedp = (struct stats_net_edev *) a->buf[ref] + index;

 	/* Since the name is not the same, reset all the structure */

 	memset(snedp, 0, STATS_NET_EDEV_SIZE);

-	strcpy(snedp->interface, snedc->interface);

+	strncpy(snedp->interface, snedc->interface, MAX_IFACE_LEN - 1);

 	return  index;

 }

-- 

2.14.3