LU-18769 lnet: lnetctl memory corruption because of buffer overflow

Sometimes the the user passed name is larger than the size of
lnet_dlc_intf_descr.intf_name. Add proper validation checks before
strncpy and strcpy so that the buffer does not overflow.

Test-Parameters: trivial
Signed-off-by: Manish Regmi <mregmi@ddn.com>
Change-Id: Ifa867cd60ded64fcefe0a6b948f34e9f542e6e04
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/58288
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Chris Horn <chris.horn@hpe.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lnet/utils/lnetconfig/liblnetconfig.c b/lnet/utils/lnetconfig/liblnetconfig.c
index 4dc284b..4a12809 100644 (file)
--- a/lnet/utils/lnetconfig/liblnetconfig.c
+++ b/lnet/utils/lnetconfig/liblnetconfig.c
@@ -208,10 +208,19 @@ static int lustre_lnet_add_intf_descr(struct list_head *list, char *intf,
                        free(intf_descr);
                        return LUSTRE_CFG_RC_BAD_PARAM;
                }
+               if ((open_sq_bracket - intf_name) >=
+                       sizeof(intf_descr->intf_name)) {
+                       free(intf_descr);
+                       return LUSTRE_CFG_RC_BAD_PARAM;
+               }
                strncpy(intf_descr->intf_name, intf_name,
                        open_sq_bracket - intf_name);
                intf_descr->intf_name[open_sq_bracket - intf_name] = '\0';
        } else {
+               if (strlen(intf_name) >= sizeof(intf_descr->intf_name)) {
+                       free(intf_descr);
+                       return LUSTRE_CFG_RC_BAD_PARAM;
+               }
                strcpy(intf_descr->intf_name, intf_name);
                intf_descr->cpt_expr = NULL;
        }