Skip to content

Commit

Permalink
tee-supplicant: Enforce paths bound limits
Browse files Browse the repository at this point in the history 
Switch from strdup() and strcpy() to strndup() and strncpy(). Also
if snprintf-function concated path is too long, then print an error
message and terminate startup.

Signed-off-by: Tanel Dettenborn <[email protected]>
  • Loading branch information
Tanel Dettenborn committed Dec 5, 2023
1 parent a8381cf commit 50df216
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 7 deletions.
2 changes: 1 addition & 1 deletion tee-supplicant/src/tee_supp_fs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ static int do_mkdir(const char *path, mode_t mode)
static int mkpath(const char *path, mode_t mode)
{
int status = 0;
char *subpath = strdup(path);
char *subpath = strndup(path, PATH_MAX);
char *prev = subpath;
char *curr = NULL;

Expand Down
20 changes: 14 additions & 6 deletions tee-supplicant/src/tee_supplicant.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -706,11 +706,12 @@ static void set_ta_path(void)
char *new_path = NULL;
size_t n = 0;
const char *path = supplicant_params.ta_load_path;
int path_len = -1;

if (!path)
path = TEEC_LOAD_PATH;

ta_path_str = strdup(path);
ta_path_str = strndup(path, PATH_MAX);
if (!ta_path_str)
goto err;

Expand All @@ -726,18 +727,21 @@ static void set_ta_path(void)
goto err;

n = 0;
strcpy(ta_path_str, path);
strncpy(ta_path_str, path, PATH_MAX);
p = ta_path_str;

while ((new_path = strtok_r(p, ":", &saveptr))) {
if (!supplicant_params.ta_load_path) {
char full_path[PATH_MAX] = { 0 };

snprintf(full_path, PATH_MAX, "%s/%s", new_path,
supplicant_params.ta_dir);
ta_path[n++] = strdup(full_path);
path_len = snprintf(full_path, PATH_MAX, "%s/%s", new_path,
supplicant_params.ta_dir);
if (path_len < 0 || path_len >= PATH_MAX)
goto err_path;

ta_path[n++] = strndup(full_path, PATH_MAX);
} else {
ta_path[n++] = strdup(new_path);
ta_path[n++] = strndup(new_path, PATH_MAX);
}

p = NULL;
Expand All @@ -749,6 +753,10 @@ static void set_ta_path(void)
err:
EMSG("out of memory");
exit(EXIT_FAILURE);

err_path:
EMSG("Path exceeds maximum path length");
exit(EXIT_FAILURE);
}

/*
Expand Down

0 comments on commit 50df216

Please sign in to comment.