Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix rpmsgfs/rpmsgfs_client.c:774:3: warning: 'strcpy' writing 1 or more bytes into a region of size 0 overflows the destination #5823

Merged
merged 1 commit into from
Mar 23, 2022
Merged

Fix rpmsgfs/rpmsgfs_client.c:774:3: warning: 'strcpy' writing 1 or more bytes into a region of size 0 overflows the destination #5823

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions fs/rpmsgfs/rpmsgfs_client.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -726,11 +726,12 @@ int rpmsgfs_client_rename(FAR void *handle, FAR const char *oldpath,
struct rpmsgfs_rename_s *msg;
size_t len;
size_t oldlen;
size_t newlen;
uint32_t space;

len = sizeof(*msg);
oldlen = (strlen(oldpath) + 1 + 0x7) & ~0x7;
len += oldlen + strlen(newpath) + 1;
oldlen = strlen(oldpath) + 1;
newlen = strlen(newpath) + 1;
len = sizeof(*msg) + oldlen + newlen;

msg = rpmsg_get_tx_payload_buffer(&priv->ept, &space, true);
if (!msg)
Expand All @@ -740,8 +741,8 @@ int rpmsgfs_client_rename(FAR void *handle, FAR const char *oldpath,

DEBUGASSERT(len <= space);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When DEBUGASSERT is a no-op, this check for buffer overflow will not exist.

I suggest:

if (len > space)
  {
    return -ENOMEM;
  }

provided space is number of bytes we can actually use. If require one more byte, use >= instead:

if (len >= space)
  {
    return -ENOMEM;
  }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn't rpmsg_free_tx_payload_buffer api yet:
OpenAMP/open-amp#361
That is why DEBUGASSERT is added here since we can't return the buffer to pool without sending.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once OpenAMP/open-amp#361 get fixed, we can convert all DEBUGASSERT to if/else.


strcpy(msg->pathname, oldpath);
strcpy(msg->pathname + oldlen, newpath);
memcpy(msg->pathname, oldpath, oldlen);
memcpy(msg->pathname + oldlen, newpath, newlen);

xiaoxiang781216 marked this conversation as resolved.
Show resolved Hide resolved
return rpmsgfs_send_recv(priv, RPMSGFS_RENAME, false,
(struct rpmsgfs_header_s *)msg, len, NULL);
Expand Down