From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Tue, 17 Apr 2018 20:55:59 +0000 (-0400)
Subject: pbrd: remove unsafe string copy
X-Git-Tag: frr-5.0-dev~39^2~3
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=5f504f14a9085d97b6d76d7bcb4d6a86b522801e;p=mirror%2Ffrr.git

pbrd: remove unsafe string copy

A user could overflow the pbr_ifp->mapname buffer by entering a pbr-map
name longer than 100 characters.

Coverity #1467821
Coverity #1467821

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---

diff --git a/pbrd/pbr_vty.c b/pbrd/pbr_vty.c
index 87ec3804a5..f598b2645c 100644
--- a/pbrd/pbr_vty.c
+++ b/pbrd/pbr_vty.c
@@ -322,27 +322,20 @@ DEFPY (pbr_policy,
 
 	if (no) {
 		if (strcmp(pbr_ifp->mapname, mapname) == 0) {
-			strcpy(pbr_ifp->mapname, "");
-
+			pbr_ifp->mapname[0] = '\0';
 			if (pbrm)
 				pbr_map_interface_delete(pbrm, ifp);
 		}
 	} else {
-		if (strcmp(pbr_ifp->mapname, "") == 0) {
-			strcpy(pbr_ifp->mapname, mapname);
-
-			if (pbrm)
-				pbr_map_add_interface(pbrm, ifp);
-		} else {
-			if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) {
-				old_pbrm = pbrm_find(pbr_ifp->mapname);
-				if (old_pbrm)
-					pbr_map_interface_delete(old_pbrm, ifp);
-				strcpy(pbr_ifp->mapname, mapname);
-				if (pbrm)
-					pbr_map_add_interface(pbrm, ifp);
-			}
+		if (strcmp(pbr_ifp->mapname, "") != 0) {
+			old_pbrm = pbrm_find(pbr_ifp->mapname);
+			if (old_pbrm)
+				pbr_map_interface_delete(old_pbrm, ifp);
 		}
+		snprintf(pbr_ifp->mapname, sizeof(pbr_ifp->mapname),
+			 "%s", mapname);
+		if (pbrm)
+			pbr_map_add_interface(pbrm, ifp);
 	}
 
 	return CMD_SUCCESS;