api: remove garbage from sockclnt_create reply

The fix uses memset to zero after alloc,
as sizing of source string is not obvious.

Function vl_msg_api_alloc_zero is added (and used),
so similar bugs can be fixed easily.

Type: fix
Ticket: VPP-1716

Change-Id: I3b20040d0de4222686c58779f2c0af78c5543504
Signed-off-by: Vratko Polak <vrpolak@cisco.com>

3 files changed, 25 insertions, 2 deletions

diff --git a/src/vlibmemory/memory_shared.c b/src/vlibmemory/memory_shared.c
index 703db9da4ec..fa9936982ee 100644
--- a/src/vlibmemory/memory_shared.c
+++ b/src/vlibmemory/memory_shared.c
@@ -209,6 +209,16 @@ vl_msg_api_alloc (int nbytes)
 }
 
 void *
+vl_msg_api_alloc_zero (int nbytes)
+{
+  void *ret;
+
+  ret = vl_msg_api_alloc (nbytes);
+  clib_memset (ret, 0, nbytes);
+  return ret;
+}
+
+void *
 vl_msg_api_alloc_or_null (int nbytes)
 {
   int pool;
@@ -226,6 +236,16 @@ vl_msg_api_alloc_as_if_client (int nbytes)
 }
 
 void *
+vl_msg_api_alloc_zero_as_if_client (int nbytes)
+{
+  void *ret;
+
+  ret = vl_msg_api_alloc_as_if_client (nbytes);
+  clib_memset (ret, 0, nbytes);
+  return ret;
+}
+
+void *
 vl_msg_api_alloc_as_if_client_or_null (int nbytes)
 {
   return vl_msg_api_alloc_internal (nbytes, 0, 1 /* may_return_null */ );
diff --git a/src/vlibmemory/memory_shared.h b/src/vlibmemory/memory_shared.h
index 662eaf96589..8d5e472e455 100644
--- a/src/vlibmemory/memory_shared.h
+++ b/src/vlibmemory/memory_shared.h
@@ -109,8 +109,10 @@ typedef struct vl_shmem_hdr_
 #define VL_API_EPOCH_SHIFT 8
 
 void *vl_msg_api_alloc (int nbytes);
+void *vl_msg_api_alloc_zero (int nbytes);
 void *vl_msg_api_alloc_or_null (int nbytes);
 void *vl_msg_api_alloc_as_if_client (int nbytes);
+void *vl_msg_api_alloc_zero_as_if_client (int nbytes);
 void *vl_msg_api_alloc_as_if_client_or_null (int nbytes);
 void *vl_mem_api_alloc_as_if_client_w_reg (vl_api_registration_t * reg,
 					   int nbytes);
diff --git a/src/vlibmemory/socket_api.c b/src/vlibmemory/socket_api.c
index 31c1ff9880e..d3beafb3345 100644
--- a/src/vlibmemory/socket_api.c
+++ b/src/vlibmemory/socket_api.c
@@ -439,7 +439,7 @@ vl_api_sockclnt_create_t_handler (vl_api_sockclnt_create_t * mp)
   regp->name = format (0, "%s%c", mp->name, 0);
 
   u32 size = sizeof (*rp) + (nmsg * sizeof (vl_api_message_table_entry_t));
-  rp = vl_msg_api_alloc (size);
+  rp = vl_msg_api_alloc_zero (size);
   rp->_vl_msg_id = htons (VL_API_SOCKCLNT_CREATE_REPLY);
   rp->index = htonl (sock_api_registration_handle (regp));
   rp->context = mp->context;
@@ -450,7 +450,8 @@ vl_api_sockclnt_create_t_handler (vl_api_sockclnt_create_t * mp)
   hash_foreach_pair (hp, am->msg_index_by_name_and_crc,
   ({
     rp->message_table[i].index = htons(hp->value[0]);
-    strncpy((char *)rp->message_table[i].name, (char *)hp->key, 64-1);
+    strncpy_s((char *)rp->message_table[i].name, 64 /* bytes of space at dst */,
+              (char *)hp->key, 64-1 /* chars to copy, without zero byte. */);
     i++;
   }));
   /* *INDENT-ON* */