tee-supplicant: Enforce paths bound limits

Verify "ta-path" command line argument length and if snprintf() concated path is too long, then print an error message and terminate startup. Signed-off-by: Tanel Dettenborn <[email protected]>
OP-TEE · Dec 6, 2023 · 6da2ea9 · 6da2ea9
1 parent a8381cf
commit 6da2ea9
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/tee-supplicant/src/tee_supplicant.c b/tee-supplicant/src/tee_supplicant.c
@@ -706,6 +706,7 @@ static void set_ta_path(void)
 	char *new_path = NULL;
 	size_t n = 0;
 	const char *path = supplicant_params.ta_load_path;
+	int path_len = -1;
 
 	if (!path)
 		path = TEEC_LOAD_PATH;
@@ -733,11 +734,18 @@ static void set_ta_path(void)
 		if (!supplicant_params.ta_load_path) {
 			char full_path[PATH_MAX] = { 0 };
 
-			snprintf(full_path, PATH_MAX, "%s/%s", new_path,
-					supplicant_params.ta_dir);
-			ta_path[n++] = strdup(full_path);
+			path_len = snprintf(full_path, PATH_MAX, "%s/%s", new_path,
+						supplicant_params.ta_dir);
+			if (path_len < 0 || path_len >= PATH_MAX)
+				goto err_path;
+
+			ta_path[n++] = strndup(full_path, PATH_MAX);
 		} else {
-			ta_path[n++] = strdup(new_path);
+			path_len = strnlen(new_path, PATH_MAX);
+			if (path_len >= PATH_MAX)
+				goto err_path;
+
+			ta_path[n++] = strndup(new_path, PATH_MAX);
 		}
 
 		p = NULL;
@@ -749,6 +757,10 @@ static void set_ta_path(void)
 err:
 	EMSG("out of memory");
 	exit(EXIT_FAILURE);
+
+err_path:
+	EMSG("Path exceeds maximum path length");
+	exit(EXIT_FAILURE);
 }
 
 /*