Fix out-of-bounds string manipulation #167
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This isn't correct. The string should not just be "libredfish" it should be something like "libredfish:eth0:ipv4" to get a listener for eth0 interface that listens to events via IPv4. Or "libredfish:vlan.4003:ipv6" to get a listener for VLAN 4003 that listens to events via IPv6. |
I see, thank you for the clarification. let me take another look at this |
If registerForEvents() is called with "libredfish" for the postbackUri parameter, the function accepts this string and passes a pointer to 'postbackUri+11' to getDestinationAddress. In this case, the pointer actually points past the end of the string's null byte. On CHERI architectures, such as ARM Morello, pointer bounds are enforced in hardware and attempting to dereference the pointer passed to getDestinationAddress() causes a segfault. Valid values for postbackUri should include a colon after "libredfish", checking for this as part of the strncmp call rejects the invalid string "libredfish" and this also means that getDestinationAddress() is not passed an invalid pointer. This prevents a segfault on CHERI and prevents undefined behavior on other architectures. Signed-off-by: Michael Cobb <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The string
postbackUricontains the string "libredfish" (10 characters, + 1 null byte), the address 'postbackUri+11' actually points past the end of the string (inc. null byte). This pointer is eventually passed as an argument to strstr().This out of bounds access causes a segfault on architectures which enforce pointer bounds, for example, CHERI architectures such as ARM Morello.