[iccpd]: Add boundary check before memset, memcpy, strncpy (sonic-net…

…#18270) Add boundary check before memset, memcpy, strncpy calls to prevent buffer overflow Microsoft ADO (number only): 27008041 Signed-off-by: Mai Bui <maibui@microsoft.com>
dgsudharsan · May 13, 2024 · c01f031 · c01f031
1 parent 050c764
commit c01f031
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/src/iccpd/src/iccp_cli.c b/src/iccpd/src/iccp_cli.c
@@ -117,7 +117,12 @@ int set_peer_link(int mid, const char* ifname)
                        csm->mlag_id, ifname);
     }
 
-    memset(csm->peer_itf_name, 0, MAX_L_PORT_NAME);
+    memset(csm->peer_itf_name, 0, IFNAMSIZ);
+    if (len > IFNAMSIZ)
+    {
+        ICCPD_LOG_ERR(__FUNCTION__, "len=%d greater than IFNAMESIZ=%d", len, IFNAMSIZ);
+        return MCLAG_ERROR;
+    }
     memcpy(csm->peer_itf_name, ifname, len);
 
     /* update peer-link link handler*/
@@ -208,8 +213,18 @@ int set_local_address(int mid, const char* addr)
 
     len = strlen(addr);
     memset(csm->sender_ip, 0, INET_ADDRSTRLEN);
+    if (len > INET_ADDRSTRLEN)
+    {
+        ICCPD_LOG_ERR(__FUNCTION__, "len=%d greater than INET_ADDRSTRLEN=%d ", len, INET_ADDRSTRLEN);
+        return MCLAG_ERROR;
+    }
     memcpy(csm->sender_ip, addr, len);
     memset(csm->iccp_info.sender_name, 0, INET_ADDRSTRLEN);
+    if (len > INET_ADDRSTRLEN)
+    {
+        ICCPD_LOG_ERR(__FUNCTION__, "len=%d greater than INET_ADDRSTRLEN=%d ", len, INET_ADDRSTRLEN);
+        return MCLAG_ERROR;
+    }
     memcpy(csm->iccp_info.sender_name, addr, len);
 
     return 0;
@@ -268,6 +283,11 @@ int set_peer_address(int mid, const char* addr)
     }
 
     memset(csm->peer_ip, 0, INET_ADDRSTRLEN);
+    if (len > INET_ADDRSTRLEN)
+    {
+        ICCPD_LOG_ERR(__FUNCTION__, "len=%d greater than INET_ADDRSTRLEN=%d ", len, INET_ADDRSTRLEN);
+        return MCLAG_ERROR;
+    }
     memcpy(csm->peer_ip, addr, len);
 
     return 0;

diff --git a/src/iccpd/src/iccp_cmd.c b/src/iccpd/src/iccp_cmd.c
@@ -135,6 +135,10 @@ int iccp_config_from_command(char * line)
                 cp++;
 
             slen = cp - start;
+            if (slen > strlen(token))
+            {
+                return MCLAG_ERROR;
+            }
             strncpy(token, start, slen);
             *(token + slen) = '\0';
             iccp_cli_attach_mclag_domain_to_port_channel(mid, token);