From 092aa1c585fedd9e169eece41b8a471f1739908a Mon Sep 17 00:00:00 2001
From: Peter Bohm <peter.m.bohm@sonyericsson.com>
Date: Fri, 1 Apr 2011 12:35:25 +0200
Subject: [PATCH] Prevent buffer overflows.

To eliminate possible buffer overflows some strcpy,
sprintf and strcat have been changed to strlcpy,
snprintf and strlcat.

Change-Id: Ieb9d4b600c894946a6492f8629ff39f2fcc106d3
Signed-off-by: Oskar Andero <oskar.andero@sonyericsson.com>
---
 Devmapper.cpp | 39 +++++++++++++++++++++++----------------
 Loop.cpp      |  4 ++--
 vdc.c         |  6 +++++-
 3 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/Devmapper.cpp b/Devmapper.cpp
index c9482bf..4d94e7b 100644
--- a/Devmapper.cpp
+++ b/Devmapper.cpp
@@ -19,6 +19,7 @@
 #include <unistd.h>
 #include <errno.h>
 #include <string.h>
+#include <stdlib.h>
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -34,6 +35,8 @@
 
 #include "Devmapper.h"
 
+#define DEVMAPPER_BUFFER_SIZE 4096
+
 int Devmapper::dumpState(SocketClient *c) {
 
     char *buffer = (char *) malloc(1024 * 64);
@@ -43,7 +46,7 @@ int Devmapper::dumpState(SocketClient *c) {
     }
     memset(buffer, 0, (1024 * 64));
 
-    char *buffer2 = (char *) malloc(4096);
+    char *buffer2 = (char *) malloc(DEVMAPPER_BUFFER_SIZE);
     if (!buffer2) {
         SLOGE("Error allocating memory (%s)", strerror(errno));
         free(buffer);
@@ -81,9 +84,9 @@ int Devmapper::dumpState(SocketClient *c) {
     do {
         n = (struct dm_name_list *) (((char *) n) + nxt);
 
-        memset(buffer2, 0, 4096);
+        memset(buffer2, 0, DEVMAPPER_BUFFER_SIZE);
         struct dm_ioctl *io2 = (struct dm_ioctl *) buffer2;
-        ioctlInit(io2, 4096, n->name, 0);
+        ioctlInit(io2, DEVMAPPER_BUFFER_SIZE, n->name, 0);
         if (ioctl(fd, DM_DEV_STATUS, io2)) {
             if (errno != ENXIO) {
                 SLOGE("DM_DEV_STATUS ioctl failed (%s)", strerror(errno));
@@ -120,12 +123,14 @@ void Devmapper::ioctlInit(struct dm_ioctl *io, size_t dataSize,
     io->version[2] = 0;
     io->flags = flags;
     if (name) {
-        strncpy(io->name, name, sizeof(io->name));
+        int ret = strlcpy(io->name, name, sizeof(io->name));
+	if (ret >= sizeof(io->name))
+		abort();
     }
 }
 
 int Devmapper::lookupActive(const char *name, char *ubuffer, size_t len) {
-    char *buffer = (char *) malloc(4096);
+    char *buffer = (char *) malloc(DEVMAPPER_BUFFER_SIZE);
     if (!buffer) {
         SLOGE("Error allocating memory (%s)", strerror(errno));
         return -1;
@@ -140,7 +145,7 @@ int Devmapper::lookupActive(const char *name, char *ubuffer, size_t len) {
 
     struct dm_ioctl *io = (struct dm_ioctl *) buffer;
  
-    ioctlInit(io, 4096, name, 0);
+    ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
     if (ioctl(fd, DM_DEV_STATUS, io)) {
         if (errno != ENXIO) {
             SLOGE("DM_DEV_STATUS ioctl failed for lookup (%s)", strerror(errno));
@@ -159,7 +164,7 @@ int Devmapper::lookupActive(const char *name, char *ubuffer, size_t len) {
 
 int Devmapper::create(const char *name, const char *loopFile, const char *key,
                       unsigned int numSectors, char *ubuffer, size_t len) {
-    char *buffer = (char *) malloc(4096);
+    char *buffer = (char *) malloc(DEVMAPPER_BUFFER_SIZE);
     if (!buffer) {
         SLOGE("Error allocating memory (%s)", strerror(errno));
         return -1;
@@ -175,7 +180,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key,
     struct dm_ioctl *io = (struct dm_ioctl *) buffer;
  
     // Create the DM device
-    ioctlInit(io, 4096, name, 0);
+    ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
 
     if (ioctl(fd, DM_DEV_CREATE, io)) {
         SLOGE("Error creating device mapping (%s)", strerror(errno));
@@ -185,7 +190,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key,
     }
 
     // Set the legacy geometry
-    ioctlInit(io, 4096, name, 0);
+    ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
 
     char *geoParams = buffer + sizeof(struct dm_ioctl);
     // bps=512 spc=8 res=32 nft=2 sec=8190 mid=0xf0 spt=63 hds=64 hid=0 bspf=8 rdcl=2 infs=1 bkbs=2
@@ -200,7 +205,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key,
     }
 
     // Retrieve the device number we were allocated
-    ioctlInit(io, 4096, name, 0);
+    ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
     if (ioctl(fd, DM_DEV_STATUS, io)) {
         SLOGE("Error retrieving devmapper status (%s)", strerror(errno));
         free(buffer);
@@ -215,17 +220,19 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key,
     struct dm_target_spec *tgt;
     tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
 
-    ioctlInit(io, 4096, name, DM_STATUS_TABLE_FLAG);
+    ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, DM_STATUS_TABLE_FLAG);
     io->target_count = 1;
     tgt->status = 0;
 
     tgt->sector_start = 0;
     tgt->length = numSectors;
 
-    strcpy(tgt->target_type, "crypt");
+    strlcpy(tgt->target_type, "crypt", sizeof(tgt->target_type));
 
     char *cryptParams = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
-    sprintf(cryptParams, "twofish %s 0 %s 0", key, loopFile);
+    snprintf(cryptParams,
+            DEVMAPPER_BUFFER_SIZE - (sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec)),
+            "twofish %s 0 %s 0", key, loopFile);
     cryptParams += strlen(cryptParams) + 1;
     cryptParams = (char *) _align(cryptParams, 8);
     tgt->next = cryptParams - buffer;
@@ -238,7 +245,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key,
     }
 
     // Resume the new table
-    ioctlInit(io, 4096, name, 0);
+    ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
 
     if (ioctl(fd, DM_DEV_SUSPEND, io)) {
         SLOGE("Error Resuming (%s)", strerror(errno));
@@ -254,7 +261,7 @@ int Devmapper::create(const char *name, const char *loopFile, const char *key,
 }
 
 int Devmapper::destroy(const char *name) {
-    char *buffer = (char *) malloc(4096);
+    char *buffer = (char *) malloc(DEVMAPPER_BUFFER_SIZE);
     if (!buffer) {
         SLOGE("Error allocating memory (%s)", strerror(errno));
         return -1;
@@ -270,7 +277,7 @@ int Devmapper::destroy(const char *name) {
     struct dm_ioctl *io = (struct dm_ioctl *) buffer;
  
     // Create the DM device
-    ioctlInit(io, 4096, name, 0);
+    ioctlInit(io, DEVMAPPER_BUFFER_SIZE, name, 0);
 
     if (ioctl(fd, DM_DEV_REMOVE, io)) {
         if (errno != ENXIO) {
diff --git a/Loop.cpp b/Loop.cpp
index 98015e2..dbfd331 100644
--- a/Loop.cpp
+++ b/Loop.cpp
@@ -188,8 +188,8 @@ int Loop::create(const char *id, const char *loopFile, char *loopDeviceBuffer, s
     struct loop_info64 li;
 
     memset(&li, 0, sizeof(li));
-    strncpy((char*) li.lo_crypt_name, id, LO_NAME_SIZE);
-    strncpy((char*) li.lo_file_name, loopFile, LO_NAME_SIZE);
+    strlcpy((char*) li.lo_crypt_name, id, LO_NAME_SIZE);
+    strlcpy((char*) li.lo_file_name, loopFile, LO_NAME_SIZE);
 
     if (ioctl(fd, LOOP_SET_STATUS64, &li) < 0) {
         SLOGE("Error setting loopback status (%s)", strerror(errno));
diff --git a/vdc.c b/vdc.c
index 4f94ad3..1eb674c 100644
--- a/vdc.c
+++ b/vdc.c
@@ -21,6 +21,7 @@
 #include <signal.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <stdlib.h>
 
 #include <sys/socket.h>
 #include <sys/select.h>
@@ -56,6 +57,7 @@ int main(int argc, char **argv) {
 static int do_cmd(int sock, int argc, char **argv) {
     char final_cmd[255] = { '\0' };
     int i;
+    int ret;
 
     for (i = 1; i < argc; i++) {
         char *cmp;
@@ -65,7 +67,9 @@ static int do_cmd(int sock, int argc, char **argv) {
         else
             asprintf(&cmp, "\"%s\"%s", argv[i], (i == (argc -1)) ? "" : " ");
 
-        strcat(final_cmd, cmp);
+        ret = strlcat(final_cmd, cmp, sizeof(final_cmd));
+        if (ret >= sizeof(final_cmd))
+            abort();
         free(cmp);
     }