From 5b195e87aca9705b0f49c90bc06763951ba93ef7 Mon Sep 17 00:00:00 2001
From: Manish Regmi <mregmi@ddn.com>
Date: Mon, 3 Mar 2025 15:22:00 -0800
Subject: [PATCH] LU-18769 lnet: lnetctl memory corruption because of buffer
 overflow

Sometimes the the user passed name is larger than the size of
lnet_dlc_intf_descr.intf_name. Add proper validation checks before
strncpy and strcpy so that the buffer does not overflow.

Test-Parameters: trivial
Signed-off-by: Manish Regmi <mregmi@ddn.com>
Change-Id: Ifa867cd60ded64fcefe0a6b948f34e9f542e6e04
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/58288
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Chris Horn <chris.horn@hpe.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---
 lnet/utils/lnetconfig/liblnetconfig.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lnet/utils/lnetconfig/liblnetconfig.c b/lnet/utils/lnetconfig/liblnetconfig.c
index 4dc284b..4a12809 100644
--- a/lnet/utils/lnetconfig/liblnetconfig.c
+++ b/lnet/utils/lnetconfig/liblnetconfig.c
@@ -208,10 +208,19 @@ static int lustre_lnet_add_intf_descr(struct list_head *list, char *intf,
 			free(intf_descr);
 			return LUSTRE_CFG_RC_BAD_PARAM;
 		}
+		if ((open_sq_bracket - intf_name) >=
+			sizeof(intf_descr->intf_name)) {
+			free(intf_descr);
+			return LUSTRE_CFG_RC_BAD_PARAM;
+		}
 		strncpy(intf_descr->intf_name, intf_name,
 			open_sq_bracket - intf_name);
 		intf_descr->intf_name[open_sq_bracket - intf_name] = '\0';
 	} else {
+		if (strlen(intf_name) >= sizeof(intf_descr->intf_name)) {
+			free(intf_descr);
+			return LUSTRE_CFG_RC_BAD_PARAM;
+		}
 		strcpy(intf_descr->intf_name, intf_name);
 		intf_descr->cpt_expr = NULL;
 	}
-- 
1.8.3.1