Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

strncpy out of bounds fix #1785

Open
wants to merge 2 commits into
base: priettt/ndkCrashFramesFix
Choose a base branch
from
Open

strncpy out of bounds fix #1785

wants to merge 2 commits into from

Conversation

priettt
Copy link
Contributor

@priettt priettt commented Dec 28, 2024

We use strncpy in many places. In almost all places, we call it with the size of the destination array. That means something like this:

char destinationArray[3]
char sourceArray[5]
emb_strncpy(destinationArray, sourceArray, sizeof(destinationArray))

In that case, sizeof(destinationArray) will be 3. That means the while loop will execute until 4, and we will try to write src[3] to dst[3], which is out of bounds.

While C might let you write out of bounds, it may cause memory corruption or failure.

Changes:

  • Modified the while loop so i won't be equal to destination_len.
  • Added a source[i] != '\0' verification in case the source is smaller than the destination. Strings passed in src should end in that termination char. If they don't, we might face another OOB. We could solve this by also passing source_len as a parameter.
  • Added some test cases.
  • Improved naming.

@priettt priettt requested a review from a team as a code owner December 28, 2024 21:04
@priettt priettt changed the base branch from main to priettt/ndkCrashFramesFix December 28, 2024 21:04
@github-actions GitHub Actions
Copy link
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Files

bidetofevil
bidetofevil approved these changes Dec 31, 2024
View reviewed changes
Copy link
Collaborator

@bidetofevil bidetofevil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

welp

fractalwrench
fractalwrench requested changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@fractalwrench fractalwrench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch on the off-by-one problem. I think we need to make one change to how the string is copied over, then this is good to go

embrace-android-sdk/src/main/cpp/utils/string_utils.c Outdated
while (i <= len) {
char current = src[i];
dst[i] = current;
while (i < destination_len && source[i] != '\0') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change means the null termination character is not copied to the destination array, which could cause various problems downstream as lots of C code assumes that strings must have that character.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fractalwrench fractalwrench fractalwrench requested changes

@bidetofevil bidetofevil bidetofevil approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@priettt @bidetofevil @fractalwrench