d.mon: Fix Unbounded Source Buffer in main.c file of d.mon module #4260
Conversation
There was a problem hiding this comment.
While this may address the unbounded source buffer issue, it seems to me that it will just lead to another warning. The mon string goes into functions like list_cmd and somewhere there it is put to another buffer which may or may not be large enough. Maybe the issue needs to be addressed there. I checked this issue in Coverity Scan and it seems to be able to take you there.
ShubhamDesai
changed the title
To address this, I have now added two checks: Primary Check in the Main File: I implemented a length check for mon directly in the main file to ensure it is within safe limits before being passed to other functions. Additional Checks in Individual Functions: In each of the individual functions, the length of name is also checked to provide an extra layer of safety. For these checks, instead of using a random number, I used GPATH_MAX as the baseline. The MONITOR_NAME_LIMIT is specifically calculated as GPATH_MAX - strlen("/MONITORS/") - 1 because the "/MONITORS/" directory path is used in one of the functions to create a temporary directory. This calculation ensures that the actual monitor name length is within safe limits, considering the directory structure. So if the checks pass in the main file still there will be additional checks inside the functions |
display/d.mon/stop.c
Outdated
| if (strlen(name) >= GPATH_MAX) { | ||
| G_fatal_error(_("Monitor name <%s> is too long."), name); | ||
| } | ||
|
|
There was a problem hiding this comment.
Here, it is not constructing any strings, so a check is not needed.
display/d.mon/main.c
Outdated
| @@ -176,7 +178,7 @@ int main(int argc, char *argv[]) | |||
| if (list_flag->answer) | |||
| G_warning(_("Flag -%c ignored"), list_flag->key); | |||
| mon = G_getenv_nofatal("MONITOR"); | |||
| if (mon) { | |||
| if (mon && strlen(mon) < MONITOR_NAME_LIMIT) { | |||
There was a problem hiding this comment.
There is actually GNAME_MAX, so you that.
display/d.mon/list.c
Outdated
| if (strlen(name) >= GPATH_MAX) { | ||
| G_fatal_error(_("Monitor name <%s> is too long."), name); | ||
| } |
There was a problem hiding this comment.
The check should be done in get_path where the strings are concatenated. See also below for the issue with the check itself.
There was a problem hiding this comment.
I initialized the available_space variable with GPATH_MAX - strlen(tmpdir) - 1, ensuring that it accounts for the initial size of tmpdir and the null terminator.
After each concatenation (such as "/", "MONITORS", and the monitor name), I subtracted the length of the appended string from available_space and checked whether there was enough space for the next operation.
This ensures that each part of the path can be appended safely without overflowing the buffer.
display/d.mon/list.c
Outdated
| if (strlen(tmpdir) >= GPATH_MAX) { | ||
| G_fatal_error(_("The path for monitor <%s> is too long."), name); | ||
| } |
There was a problem hiding this comment.
This type of check actually does not work. The point is not to limit the length of the string just because. The point is to not overflow the allocated buffer. You need to compute the length before using strcat, for strings which are too long, the behavior is undefined (see strcat doc).
There was a problem hiding this comment.
same usage of variable available_space for calculating the buffer availability
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
There was a problem hiding this comment.
I have planned to create a new G_strlcat() (local wrapper/implementation of strlcat(), to accompany G_strlcpy()), but have not got the time for that yet.
That would make this fix much less complicated. Please hold on for that (or implement for the time being with posix strlcat() if possible).
|
G_strlcat is now in place. |
Done. |
|
|
This Pull Request addresses the unbounded source buffer issue identified by Coverity Scan (CID: 1270265).
Changes Implemented:
Monitor Name Length Check:
Defined a maximum length for the monitor name (mon) as 256 characters using the MONITOR_NAME_LIMIT macro.
Introduced checks to ensure that the mon variable, which stores the monitor name, does not exceed this defined length.
The check if (mon && strlen(mon) < MONITOR_NAME_LIMIT) ensures that mon is not NULL and that its length does not exceed MONITOR_NAME_LIMIT.