Hello,
proposing patch for some of the issues found by coverity scan in cpio-2.13
Patch:
diff --git a/src/tar.c b/src/tar.c
index 99ef8a2..a5873e7 100644
--- a/src/tar.c
+++ b/src/tar.c
@@ -146,6 +146,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
name_len = strlen (file_hdr->c_name);
if (name_len <= TARNAMESIZE)
{
+ memset(tar_hdr->name, '\0', name_len+1);
strncpy (tar_hdr->name, file_hdr->c_name, name_len);
}
else
@@ -173,8 +174,9 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
{
/* process_copy_out makes sure that c_tar_linkname is shorter
than TARLINKNAMESIZE. */
+ memset(tar_hdr->linkname, '\0', TARLINKNAMESIZE);
strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
- TARLINKNAMESIZE);
+ TARLINKNAMESIZE-1);
tar_hdr->typeflag = LNKTYPE;
to_ascii (tar_hdr->size, 0, 12, LG_8, true);
}
@@ -200,8 +202,9 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
tar_hdr->typeflag = SYMTYPE;
/* process_copy_out makes sure that c_tar_linkname is shorter
than TARLINKNAMESIZE. */
+ memset(tar_hdr->linkname, '\0', TARLINKNAMESIZE);
strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
- TARLINKNAMESIZE);
+ TARLINKNAMESIZE-1);
to_ascii (tar_hdr->size, 0, 12, LG_8, true);
break;
#endif /* CP_IFLNK */
@@ -211,6 +214,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
{
char *name;
+ memset(tar_hdr->version, '\0', TVERSLEN+1);
strncpy (tar_hdr->magic, TMAGIC, TMAGLEN);
strncpy (tar_hdr->version, TVERSION, TVERSLEN);
In addition, there are some issues which are not resolved by this patch.
There is a compiler warning about issues in utimens.c, which I find as
false positives. Can you please
investigate it and give feedback ?
Thank you.
Ondrej
Covscan results:
Error: COMPILER_WARNING (CWE-758):
cpio-2.13/gnu/utimens.c: scope_hint: In function 'fdutimens'
cpio-2.13/gnu/utimens.c:296:17: warning[-Wstringop-overflow=]: 'update_timespec' accessing 16 bytes in a region of size 8
# 296 | if (ts && update_timespec (&st, &ts))
# | ^~~~~~~~~~~~~~~~~~~~~~~~~~
cpio-2.13/gnu/utimens.c:296:17: note: referencing argument 2 of type 'struct timespec * *'
cpio-2.13/gnu/utimens.c:131:1: note: in a call to function 'update_timespec'
# 131 | update_timespec (struct stat const *statbuf, struct timespec *ts[2])
# | ^~~~~~~~~~~~~~~
# 294| && (fd < 0 ? stat (file, &st) : fstat (fd, &st)))
# 295| return -1;
# 296|-> if (ts && update_timespec (&st, &ts))
# 297| return 0;
# 298| }
Error: COMPILER_WARNING (CWE-758):
cpio-2.13/gnu/utimens.c: scope_hint: In function 'lutimens'
cpio-2.13/gnu/utimens.c:507:17: warning[-Wstringop-overflow=]: 'update_timespec' accessing 16 bytes in a region of size 8
# 507 | if (ts && update_timespec (&st, &ts))
# | ^~~~~~~~~~~~~~~~~~~~~~~~~~
cpio-2.13/gnu/utimens.c:507:17: note: referencing argument 2 of type 'struct timespec * *'
cpio-2.13/gnu/utimens.c:131:1: note: in a call to function 'update_timespec'
# 131 | update_timespec (struct stat const *statbuf, struct timespec *ts[2])
# | ^~~~~~~~~~~~~~~
# 505| if (adjustment_needed != 3 && lstat (file, &st))
# 506| return -1;
# 507|-> if (ts && update_timespec (&st, &ts))
# 508| return 0;
# 509| }
Error: COMPILER_WARNING (CWE-758):
cpio-2.13/src/tar.c: scope_hint: In function 'write_out_tar_header'
cpio-2.13/src/tar.c:149:7: warning[-Wstringop-overflow=]: 'strncpy' specified bound depends on the length of the source argument
cpio-2.13/src/tar.c:146:14: note: length computed here
# 147| if (name_len <= TARNAMESIZE)
# 148| {
# 149|-> strncpy (tar_hdr->name, file_hdr->c_name, name_len);
# 150| }
# 151| else
Error: BUFFER_SIZE (CWE-170):
cpio-2.13/src/tar.c:176: buffer_size_warning: Calling "strncpy" with a maximum size argument of 100 bytes on destination array "tar_hdr->linkname" of size 100 bytes might leave the destination string unterminated.
# 174| /* process_copy_out makes sure that c_tar_linkname is shorter
# 175| than TARLINKNAMESIZE. */
# 176|-> strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
# 177| TARLINKNAMESIZE);
# 178| tar_hdr->typeflag = LNKTYPE;
Error: BUFFER_SIZE (CWE-170):
cpio-2.13/src/tar.c:203: buffer_size_warning: Calling "strncpy" with a maximum size argument of 100 bytes on destination array "tar_hdr->linkname" of size 100 bytes might leave the destination string unterminated.
# 201| /* process_copy_out makes sure that c_tar_linkname is shorter
# 202| than TARLINKNAMESIZE. */
# 203|-> strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
# 204| TARLINKNAMESIZE);
# 205| to_ascii (tar_hdr->size, 0, 12, LG_8, true);
Error: BUFFER_SIZE (CWE-120):
cpio-2.13/src/tar.c:215: buffer_size: Calling "strncpy" with a source string whose length (2 chars) is greater than or equal to the size argument (2) will fail to null-terminate "tar_hdr->version".
# 213|
# 214| strncpy (tar_hdr->magic, TMAGIC, TMAGLEN);
# 215|-> strncpy (tar_hdr->version, TVERSION, TVERSLEN);
# 216|
# 217| name = getuser (file_hdr->c_uid);