Let remote_tempdir() assume a NUL-terminated name

This is the case already. We also fix a buffer overflow opportunity in the memcpy() call by this change.
ClusterLabs · Apr 23, 2019 · 1699bf4 · 1699bf4
1 parent 4aa4608
commit 1699bf4
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 11 deletions.
diff --git a/lib/ipc_int.h b/lib/ipc_int.h
@@ -207,6 +207,6 @@ int32_t qb_ipc_us_sock_error_is_disconnected(int err);
 
 int use_filesystem_sockets(void);
 
-void remove_tempdir(const char *name, size_t namelen);
+void remove_tempdir(const char *name);
 
 #endif /* QB_IPC_INT_H_DEFINED */
diff --git a/lib/ipc_setup.c b/lib/ipc_setup.c
@@ -904,16 +904,15 @@ qb_ipcs_us_connection_acceptor(int fd, int revent, void *data)
 	return 0;
 }
 
-void remove_tempdir(const char *name, size_t namelen)
+void remove_tempdir(const char *name)
 {
 #if defined(QB_LINUX) || defined(QB_CYGWIN)
 	char dirname[PATH_MAX];
-	char *slash;
-	memcpy(dirname, name, namelen);
+	char *slash = strrchr(name, '/');
 
-	slash = strrchr(dirname, '/');
-	if (slash) {
-		*slash = '\0';
+	if (slash && slash - name < sizeof dirname) {
+		memcpy(dirname, name, slash - name);
+		dirname[slash - name] = '\0';
 		/* This gets called more than it needs to be really, so we don't check
 		 * the return code. It's more of a desperate attempt to clean up after ourself
 		 * in either the server or client.

diff --git a/lib/ipc_shm.c b/lib/ipc_shm.c
@@ -240,7 +240,7 @@ qb_ipcs_shm_disconnect(struct qb_ipcs_connection *c)
 		}
 	}
 
-	remove_tempdir(c->description, CONNECTION_DESCRIPTION);
+	remove_tempdir(c->description);
 }
 
 static int32_t

diff --git a/lib/ipc_socket.c b/lib/ipc_socket.c
@@ -376,7 +376,7 @@ qb_ipcc_us_disconnect(struct qb_ipcc_connection *c)
 	}
 
 	/* Last-ditch attempt to tidy up after ourself */
-	remove_tempdir(c->request.u.us.shared_file_name, PATH_MAX);
+	remove_tempdir(c->request.u.us.shared_file_name);
 
 	qb_ipcc_us_sock_close(c->event.u.us.sock);
 	qb_ipcc_us_sock_close(c->request.u.us.sock);
@@ -772,7 +772,7 @@ qb_ipcs_us_disconnect(struct qb_ipcs_connection *c)
 
 
 	}
-	remove_tempdir(c->description, CONNECTION_DESCRIPTION);
+	remove_tempdir(c->description);
 }
 
 static int32_t

diff --git a/lib/ipcs.c b/lib/ipcs.c
@@ -642,7 +642,7 @@ qb_ipcs_disconnect(struct qb_ipcs_connection *c)
 				scheduled_retry = 1;
 			}
 		}
-		remove_tempdir(c->description, CONNECTION_DESCRIPTION);
+		remove_tempdir(c->description);
 		if (scheduled_retry == 0) {
 			/* This removes the initial alloc ref */
 			qb_ipcs_connection_unref(c);
-Original file line number
+Diff line change
@@ Expand Up / @@ -240,7 +240,7 @@ qb_ipcs_shm_disconnect(struct qb_ipcs_connection *c) @@
     		}
     	}
-    	remove_tempdir(c->description, CONNECTION_DESCRIPTION);
+    	remove_tempdir(c->description);
     }
     static int32_t
@@ Expand Down @@