Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper Null Termination of Table Names #62

Closed
2 tasks done
chillfig opened this issue Mar 2, 2023 · 0 comments · Fixed by #66
Closed
2 tasks done

Improper Null Termination of Table Names #62

chillfig opened this issue Mar 2, 2023 · 0 comments · Fixed by #66
Assignees
@chillfig
Labels
enhancement Equuleus-rc1
Milestone
Equuleus

Comments

@chillfig
Copy link
Contributor

chillfig commented Mar 2, 2023

Checklist (Please check before submitting)

  • I reviewed the Contributing Guide.
  • I performed a cursory search to see if the bug report is relevant, not redundant, nor in conflict with other tickets.

Describe the bug
It is not guaranteed that the source or destination arguments of strncpy for table entry names assure null-termination. Many standard functions such as strcpy, strlen, strcmp among others rely on arrays of characters to be Null terminated.

Expected behavior
CFE_SB_MessageStringGet

Alternatively considered:
FM strncpy approach
However, this approach won't necessarily handle non-terminated sources properly.

Code snips

CS/fsw/src/cs_table_processing.c

Line 697 in 1ce636e

strncpy(ResultsEntry->Name, DefEntry->Name, CFE_TBL_MAX_FULL_NAME_LEN);

CS/fsw/src/cs_table_processing.c

Line 768 in 1ce636e

strncpy(ResultsEntry->Name, DefEntry->Name, OS_MAX_API_NAME);

System observed on:
Imported from JSC static analysis audit

Additional context
The source table data was loaded via CFE_TBL_Load so yes it came from a file which should be considered "untrusted input". Therefore, there is no guarantee that DefEntry->Name (the source here) is null-terminated. However, the current implementation is relying on the assumption that the source and dest are the same length, and thus the function won't read more than it writes, so it's safe-ish.

Reporter Info
Justin Figueroa, Vantage Systems
@chillfig chillfig changed the title Improper Null Termination Improper Null Termination of Table Names Mar 2, 2023
@chillfig chillfig self-assigned this Mar 13, 2023
chillfig pushed a commit to chillfig/CS that referenced this issue Mar 13, 2023
Fix nasa#62, Adds null termination to table name processing
33d7df9
@chillfig chillfig mentioned this issue Mar 13, 2023
Merged
2 tasks
dzbaker added a commit that referenced this issue Mar 16, 2023
@dzbaker
Merge pull request #66 from chillfig/Add_null_term
a249bcf 
Fix #62, Adds null termination to table name processing
@dmknutsen dmknutsen added this to the Equuleus milestone May 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chillfig chillfig

Labels
enhancement Equuleus-rc1
Projects
None yet
Milestone
Equuleus
Development

Successfully merging a pull request may close this issue.

Fix #62, Adds null termination to table name processing chillfig/CS
2 participants
@dmknutsen @chillfig