From: Benoît Ganne <bganne@cisco.com>
Date: Tue, 12 Oct 2021 08:14:30 +0000 (+0200)
Subject: ip: fix punt socket overflow
X-Git-Tag: v23.02-rc0~39
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=edb0d4563c2e808a1c7d9101b2c05087ffb3b279;p=vpp.git

ip: fix punt socket overflow

client_pathname is usually smaller than pc->caddr.sun_path. snprint()
ensures we stop at the NULL character or sizeof(sun_path) whichever
comes 1st. It also guarantees NULL character termination.

Type: fix

Change-Id: I9fc2a706beab931d50d32d03f7fafca7c6c2fb0b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---

diff --git a/src/vnet/ip/punt.c b/src/vnet/ip/punt.c
index eb191da1394..10deb2e8849 100644
--- a/src/vnet/ip/punt.c
+++ b/src/vnet/ip/punt.c
@@ -165,7 +165,8 @@ punt_socket_register_l4 (vlib_main_t * vm,
       punt_client_l4_db_add (af, port, c - pm->punt_client_pool);
     }
 
-  memcpy (c->caddr.sun_path, client_pathname, sizeof (c->caddr.sun_path));
+  snprintf (c->caddr.sun_path, sizeof (c->caddr.sun_path), "%s",
+	    client_pathname);
   c->caddr.sun_family = AF_UNIX;
   c->reg.type = PUNT_TYPE_L4;
   c->reg.punt.l4.port = port;
@@ -197,7 +198,8 @@ punt_socket_register_ip_proto (vlib_main_t * vm,
       punt_client_ip_proto_db_add (af, proto, c - pm->punt_client_pool);
     }
 
-  memcpy (c->caddr.sun_path, client_pathname, sizeof (c->caddr.sun_path));
+  snprintf (c->caddr.sun_path, sizeof (c->caddr.sun_path), "%s",
+	    client_pathname);
   c->caddr.sun_family = AF_UNIX;
   c->reg.type = PUNT_TYPE_IP_PROTO;
   c->reg.punt.ip_proto.protocol = proto;
@@ -227,7 +229,8 @@ punt_socket_register_exception (vlib_main_t * vm,
       punt_client_exception_db_add (reason, pc - pm->punt_client_pool);
     }
 
-  memcpy (pc->caddr.sun_path, client_pathname, sizeof (pc->caddr.sun_path));
+  snprintf (pc->caddr.sun_path, sizeof (pc->caddr.sun_path), "%s",
+	    client_pathname);
   pc->caddr.sun_family = AF_UNIX;
   pc->reg.type = PUNT_TYPE_EXCEPTION;
   pc->reg.punt.exception.reason = reason;