From 6da2ea9e0801ef69e2fd9a39076af68d9c94c35f Mon Sep 17 00:00:00 2001
From: Tanel Dettenborn <tanel@ssrc.tii.ae>
Date: Tue, 5 Dec 2023 10:47:05 +0200
Subject: [PATCH] tee-supplicant: Enforce paths bound limits

Verify "ta-path" command line argument length and if snprintf()
concated path is too long, then print an error message and
terminate startup.

Signed-off-by: Tanel Dettenborn <tanel@ssrc.tii.ae>
---
 tee-supplicant/src/tee_supplicant.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/tee-supplicant/src/tee_supplicant.c b/tee-supplicant/src/tee_supplicant.c
index 4fc247c4..747830d0 100644
--- a/tee-supplicant/src/tee_supplicant.c
+++ b/tee-supplicant/src/tee_supplicant.c
@@ -706,6 +706,7 @@ static void set_ta_path(void)
 	char *new_path = NULL;
 	size_t n = 0;
 	const char *path = supplicant_params.ta_load_path;
+	int path_len = -1;
 
 	if (!path)
 		path = TEEC_LOAD_PATH;
@@ -733,11 +734,18 @@ static void set_ta_path(void)
 		if (!supplicant_params.ta_load_path) {
 			char full_path[PATH_MAX] = { 0 };
 
-			snprintf(full_path, PATH_MAX, "%s/%s", new_path,
-					supplicant_params.ta_dir);
-			ta_path[n++] = strdup(full_path);
+			path_len = snprintf(full_path, PATH_MAX, "%s/%s", new_path,
+						supplicant_params.ta_dir);
+			if (path_len < 0 || path_len >= PATH_MAX)
+				goto err_path;
+
+			ta_path[n++] = strndup(full_path, PATH_MAX);
 		} else {
-			ta_path[n++] = strdup(new_path);
+			path_len = strnlen(new_path, PATH_MAX);
+			if (path_len >= PATH_MAX)
+				goto err_path;
+
+			ta_path[n++] = strndup(new_path, PATH_MAX);
 		}
 
 		p = NULL;
@@ -749,6 +757,10 @@ static void set_ta_path(void)
 err:
 	EMSG("out of memory");
 	exit(EXIT_FAILURE);
+
+err_path:
+	EMSG("Path exceeds maximum path length");
+	exit(EXIT_FAILURE);
 }
 
 /*