[Static Analysis][Buffer not null terminated] In function SandboxBroker::ThreadMain

RESOLVED FIXED in Firefox 52

Status

()

Core
Security: Process Sandboxing
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: andi, Assigned: andi)

Tracking

(Blocks: 1 bug, {coverity})

Trunk
mozilla52
coverity
Points:
---

Firefox Tracking Flags

(firefox52 fixed)

Details

(Whiteboard: CID 1373569)

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

2 years ago
The Static Analysis tool Coverity detected that a buffer not null terminated occurs in this following context:

>>strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);

This can happen since the size of of |pathBuf2| is kMaxPathLen + 1 so the 3rd argument of strncpy might be kMaxPathLen
Comment hidden (mozreview-request)
If you read the comment right above that line, that is 100% intentional:

      // We do not assume the second path is 0-terminated, this is
      // enforced below.
      strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);

The bug is:

        // Force 0 termination.
        pathBuf[pathLen2] = '\0';

Which should've been pathBuf2[...]

Comment 3

2 years ago
mozreview-review
Comment on attachment 8799634 [details]
Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain.

https://reviewboard.mozilla.org/r/84782/#review83418
Attachment #8799634 - Flags: review?(gpascutto) → review-
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 6

2 years ago
mozreview-review
Comment on attachment 8799634 [details]
Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain.

https://reviewboard.mozilla.org/r/84782/#review83424
Attachment #8799634 - Flags: review?(gpascutto) → review+
Attachment #8799723 - Attachment is obsolete: true
Attachment #8799723 - Flags: review?(jld)

Comment 7

2 years ago
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ed40af32ba48
null terminate pathBuf2 in SandboxBroker::ThreadMain. r=gcp

Comment 8

2 years ago
mozreview-review
Comment on attachment 8799723 [details]
Bug 1309133 - Ensure termination of the correct buffer.

https://reviewboard.mozilla.org/r/84862/#review83426
Attachment #8799723 - Attachment is obsolete: false
Attachment #8799723 - Attachment is obsolete: true

Comment 9

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ed40af32ba48
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox52: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.