DAOS-16501 dfs: Possible missing string termination

There are several issues in strncpy usage that may cause memory corruption. Target string may not be ended by `\0` character. Issues detected during sanitizer integration Ref: #15105 Co-authored-by: Cedric Koch-Hofer <[email protected]> Co-autohred-by: Tomasz Gromadzki <[email protected]> Signed-off-by: Tomasz Gromadzki <[email protected]> Doc-only: true
daos-stack · Feb 17, 2025 · 6624f78 · 6624f78
1 parent 441ee8d
commit 6624f78
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 7 deletions.
diff --git a/src/client/dfs/cont.c b/src/client/dfs/cont.c
@@ -1,5 +1,6 @@
 /**
  * (C) Copyright 2018-2024 Intel Corporation.
+ * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -83,7 +84,8 @@ dfs_cont_create(daos_handle_t poh, uuid_t *cuuid, dfs_attr_t *attr, daos_handle_
 			dattr.da_chunk_size = DFS_DEFAULT_CHUNK_SIZE;
 
 		if (attr->da_hints[0] != 0) {
-			strncpy(dattr.da_hints, attr->da_hints, DAOS_CONT_HINT_MAX_LEN);
+			/* DAOS-17042 Replace strncpy with strncat or strlcpy */
+			strncpy(dattr.da_hints, attr->da_hints, DAOS_CONT_HINT_MAX_LEN - 1);
 			dattr.da_hints[DAOS_CONT_HINT_MAX_LEN - 1] = '\0';
 		}
 	} else {

diff --git a/src/client/dfs/obj.c b/src/client/dfs/obj.c
@@ -1,5 +1,6 @@
 /**
  * (C) Copyright 2018-2024 Intel Corporation.
+ * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -510,7 +511,9 @@ dfs_dup(dfs_t *dfs, dfs_obj_t *obj, int flags, dfs_obj_t **_new_obj)
 		D_GOTO(err, rc = EINVAL);
 	}
 
-	strncpy(new_obj->name, obj->name, DFS_MAX_NAME + 1);
+	/* DAOS-17042 Replace strncpy with strncat or strlcpy */
+	strncpy(new_obj->name, obj->name, DFS_MAX_NAME);
+	new_obj->name[DFS_MAX_NAME] = '\0';
 	new_obj->dfs   = dfs;
 	new_obj->mode  = obj->mode;
 	new_obj->flags = flags;
@@ -616,8 +619,9 @@ dfs_obj_local2global(dfs_t *dfs, dfs_obj_t *obj, d_iov_t *glob)
 	oid_cp(&obj_glob->parent_oid, obj->parent_oid);
 	uuid_copy(obj_glob->coh_uuid, coh_uuid);
 	uuid_copy(obj_glob->cont_uuid, cont_uuid);
-	strncpy(obj_glob->name, obj->name, DFS_MAX_NAME + 1);
-	obj_glob->name[DFS_MAX_NAME] = 0;
+	/* DAOS-17042 Replace strncpy with strncat or strlcpy */
+	strncpy(obj_glob->name, obj->name, DFS_MAX_NAME);
+	obj_glob->name[DFS_MAX_NAME] = '\0';
 	if (S_ISDIR(obj_glob->mode))
 		return 0;
 	rc = dfs_get_chunk_size(obj, &obj_glob->chunk_size);
@@ -674,7 +678,8 @@ dfs_obj_global2local(dfs_t *dfs, int flags, d_iov_t glob, dfs_obj_t **_obj)
 
 	oid_cp(&obj->oid, obj_glob->oid);
 	oid_cp(&obj->parent_oid, obj_glob->parent_oid);
-	strncpy(obj->name, obj_glob->name, DFS_MAX_NAME + 1);
+	/* DAOS-17042 Replace strncpy with strncat or strlcpy */
+	strncpy(obj->name, obj_glob->name, DFS_MAX_NAME);
 	obj->name[DFS_MAX_NAME] = '\0';
 	obj->mode               = obj_glob->mode;
 	obj->dfs                = dfs;

diff --git a/src/client/dfuse/ops/lookup.c b/src/client/dfuse/ops/lookup.c
@@ -1,5 +1,6 @@
 /**
  * (C) Copyright 2016-2024 Intel Corporation.
+ * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -118,11 +119,14 @@ dfuse_reply_entry(struct dfuse_info *dfuse_info, struct dfuse_inode_entry *ie,
 
 			/* Save the old name so that we can invalidate it in later */
 			wipe_parent = inode->ie_parent;
+			/* DAOS-17042 Replace strncpy with strncat or strlcpy */
 			strncpy(wipe_name, inode->ie_name, NAME_MAX);
 			wipe_name[NAME_MAX] = '\0';
 
 			inode->ie_parent = ie->ie_parent;
-			strncpy(inode->ie_name, ie->ie_name, NAME_MAX + 1);
+			/* DAOS-17042 Replace strncpy with strncat or strlcpy */
+			strncpy(inode->ie_name, ie->ie_name, NAME_MAX);
+			inode->ie_name[NAME_MAX] = '\0';
 		}
 		atomic_fetch_sub_relaxed(&ie->ie_ref, 1);
 		dfuse_ie_close(dfuse_info, ie);
@@ -294,7 +298,9 @@ dfuse_cb_lookup(fuse_req_t req, struct dfuse_inode_entry *parent,
 	if (attr_len)
 		DFUSE_TRA_DEBUG(ie, "Attr len is %zi", attr_len);
 
+	/* DAOS-17042 Replace strncpy with strncat or strlcpy */
 	strncpy(ie->ie_name, name, NAME_MAX);
+	ie->ie_name[NAME_MAX] = '\0';
 
 	dfs_obj2id(ie->ie_obj, &ie->ie_oid);
 

diff --git a/src/tests/obj_ctl.c b/src/tests/obj_ctl.c
@@ -1,5 +1,6 @@
 /**
  * (C) Copyright 2017-2022 Intel Corporation.
+ * (C) Copyright 2025 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -198,7 +199,8 @@ ctl_cmd_run(char opc, char *args)
 	int			 rc;
 
 	if (args) {
-		strncpy(buf, args, CTL_BUF_LEN);
+		/* DAOS-17042 Replace strncpy with strncat or strlcpy */
+		strncpy(buf, args, CTL_BUF_LEN - 1);
 		buf[CTL_BUF_LEN - 1] = '\0';
 		str = daos_str_trimwhite(buf);
 	} else {