Closed Bug 1309133 Opened 3 years ago Closed 3 years ago

[Static Analysis][Buffer not null terminated] In function SandboxBroker::ThreadMain

Categories

(Core :: Security: Process Sandboxing, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox52 --- fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1373569)

Attachments

(1 file, 1 obsolete file)

The Static Analysis tool Coverity detected that a buffer not null terminated occurs in this following context:

>>strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);

This can happen since the size of of |pathBuf2| is kMaxPathLen + 1 so the 3rd argument of strncpy might be kMaxPathLen
If you read the comment right above that line, that is 100% intentional:

      // We do not assume the second path is 0-terminated, this is
      // enforced below.
      strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);

The bug is:

        // Force 0 termination.
        pathBuf[pathLen2] = '\0';

Which should've been pathBuf2[...]
Comment on attachment 8799634 [details]
Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain.

https://reviewboard.mozilla.org/r/84782/#review83418
Attachment #8799634 - Flags: review?(gpascutto) → review-
Comment on attachment 8799634 [details]
Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain.

https://reviewboard.mozilla.org/r/84782/#review83424
Attachment #8799634 - Flags: review?(gpascutto) → review+
Attachment #8799723 - Attachment is obsolete: true
Attachment #8799723 - Flags: review?(jld)
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ed40af32ba48
null terminate pathBuf2 in SandboxBroker::ThreadMain. r=gcp
Comment on attachment 8799723 [details]
Bug 1309133 - Ensure termination of the correct buffer.

https://reviewboard.mozilla.org/r/84862/#review83426
Attachment #8799723 - Attachment is obsolete: false
Attachment #8799723 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/ed40af32ba48
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.