From d7c96324c0fc7e23cd901c6166f1a7dba3e5b896 Mon Sep 17 00:00:00 2001
From: Tianyu Li <tianyu.li@arm.com>
Date: Wed, 12 Jul 2023 05:51:42 +0000
Subject: libmemif: fix segfault and buffer overflow in examples

- Fix buffer overflow caused by strncpy(dst, src, strlen(src)),
use sized buffer to ensure overflow safe.

- Fix test_app getopt usage

 When use example/icmp_responder in slave mode
- Fix segfault when buffer size is not specified
- Fix wrong packet send out.

Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I5ed47fd8e630420d7ae0203a2605d2b9abd33d2a
---
 extras/libmemif/examples/common/packet_handler.c | 2 +-
 extras/libmemif/examples/icmp_responder/main.c   | 4 +++-
 extras/libmemif/examples/test_app/main.c         | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

(limited to 'extras/libmemif')

diff --git a/extras/libmemif/examples/common/packet_handler.c b/extras/libmemif/examples/common/packet_handler.c
index 9d3e4d703c1..1e97e46dba2 100644
--- a/extras/libmemif/examples/common/packet_handler.c
+++ b/extras/libmemif/examples/common/packet_handler.c
@@ -48,7 +48,7 @@ icmp_packet_handler (memif_connection_t *c)
       for (i = 0; i < c->tx_buf_num; i++)
 	{
 	  uint32_t len;
-	  void *packet = c->rx_bufs[i].data;
+	  void *packet = c->tx_bufs[i].data;
 
 	  memcpy (c->tx_bufs[i].data, c->rx_bufs[i].data, c->rx_bufs[i].len);
 	  c->tx_bufs[i].flags = c->rx_bufs[i].flags;
diff --git a/extras/libmemif/examples/icmp_responder/main.c b/extras/libmemif/examples/icmp_responder/main.c
index f89f5796805..d70ecb5647e 100644
--- a/extras/libmemif/examples/icmp_responder/main.c
+++ b/extras/libmemif/examples/icmp_responder/main.c
@@ -126,7 +126,7 @@ main (int argc, char *argv[])
   char socket_path[108];
   int id = IF_ID;
 
-  strncpy (socket_path, SOCKET_PATH, strlen (SOCKET_PATH));
+  strncpy (socket_path, SOCKET_PATH, sizeof (SOCKET_PATH));
 
   /* prepare the private data */
   memset (&intf, 0, sizeof (intf));
@@ -219,6 +219,8 @@ main (int argc, char *argv[])
    */
   if (intf.buffer_size)
     memif_conn_args.buffer_size = intf.buffer_size;
+  else
+    intf.buffer_size = 2048;
 
   memif_conn_args.socket = memif_socket;
   memif_conn_args.interface_id = id;
diff --git a/extras/libmemif/examples/test_app/main.c b/extras/libmemif/examples/test_app/main.c
index 763ec6c90e7..54c53921fe7 100644
--- a/extras/libmemif/examples/test_app/main.c
+++ b/extras/libmemif/examples/test_app/main.c
@@ -201,13 +201,13 @@ main (int argc, char *argv[])
   int id0 = IF_ID0;
   int id1 = IF_ID1;
 
-  strncpy (socket_path, SOCKET_PATH, strlen (SOCKET_PATH));
+  strncpy (socket_path, SOCKET_PATH, sizeof (SOCKET_PATH));
 
   /* prepare the private data */
   memset (&intf0, 0, sizeof (intf0));
   memset (&intf1, 0, sizeof (intf1));
 
-  while ((opt = getopt (argc, argv, "r:s:i:t:b:h:v")) != -1)
+  while ((opt = getopt (argc, argv, "r:s:i:t:b:hv")) != -1)
     {
       switch (opt)
 	{
-- 
cgit 1.2.3-korg