sw:tools: fix vulnerabilities level 4 and 5

Signed-off-by: Federico Vaga <federico.vaga@cern.ch>

sw:tools: fix vulnerabilities level 4 and 5
Signed-off-by: Federico Vaga <federico.vaga@cern.ch>
2fbe1809 · Federico Vaga · 03dfaf46 · 2fbe1809 · 2fbe1809 · 2fbe1809
Commit 2fbe1809 authored Jul 12, 2021 by Federico Vaga
Hide whitespace changes
Inline Side-by-side

Showing with 73 additions and 45 deletions

fau-acq-time.c software/tools/fau-acq-time.c +6 -5

fau-calibration.c software/tools/fau-calibration.c +35 -27

fau-trg-config.c software/tools/fau-trg-config.c +32 -13

No files found.
--- a/software/tools/fau-acq-time.c
+++ b/software/tools/fau-acq-time.c
@@ -17,9 +17,10 @@

 static char git_version[] = "version: " GIT_VERSION;

-#define buf_len 50
+#define path_len 200
+#define base_len 40
 /* user will edit by adding the device name */
-char basepath[40] = "/sys/bus/zio/devices/";
+char basepath[base_len] = "/sys/bus/zio/devices/";

 enum fau_attribute {
 	FAU_UTR_STR_S,
@@ -55,10 +56,10 @@ const char *attribute[] = {
 /* Write a sysfs attribute */
 int fau_read_attribute(enum fau_attribute attr, long *val)
 {
-	char fullpath[200];
+	char fullpath[path_len];
 	FILE *f;

-	sprintf(fullpath, "%s%s", basepath, attribute[attr]);
+	snprintf(fullpath, path_len, "%s%s", basepath, attribute[attr]);
 	f = fopen(fullpath, "r");
 	if (!f)
 		return -1;
@@ -153,7 +154,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}

-	strcat(basepath, argv[argc-1]);
+	strncat(basepath, argv[argc-1], base_len);
 	printf("Sysfs path to device is: %s\n", basepath);

 	if (last) {

--- a/software/tools/fau-calibration.c
+++ b/software/tools/fau-calibration.c
@@ -19,27 +19,30 @@
 #include <fmc-adc-100m14b4cha.h>

 static char options[] = "hf:o:D:b";
-static const char help_msg[] =
-	"Usage: fau-calibration [options]\n"
-	"\n"
-	"It reads calibration data from a file that contains it in binary\n"
-	"form and it shows it on STDOUT in binary form or in human readable\n"
-	"one (default).\n"
-	"This could be used to change the ADC calibration data at runtime\n"
-	"by redirectiong the binary output of this program to the proper \n"
-	"sysfs binary attribute\n"
-	"Rembember that we expect all values to be little endian\n"
-	"\n"
-	"General options:\n"
-	"-h                 Print this message\n"
-	"-b                 Show Calibration in binary form \n"
-	"\n"
-	"Read options:\n"
-	"-f                 Source file where to read calibration data from\n"
-	"-o                 Offset in bytes within the file (default 0)\n"
-	"Write options:\n"
-	"-D                 FMC ADC Target Device ID\n"
-	"\n";
+
+static void fau_calibration_help(void)
+{
+	fputs("Usage: fau-calibration [options]\n"
+		  "\n"
+		  "It reads calibration data from a file that contains it in binary\n"
+		  "form and it shows it on STDOUT in binary form or in human readable\n"
+		  "one (default).\n"
+		  "This could be used to change the ADC calibration data at runtime\n"
+		  "by redirectiong the binary output of this program to the proper \n"
+		  "sysfs binary attribute\n"
+		  "Rembember that we expect all values to be little endian\n"
+		  "\n"
+		  "General options:\n"
+		  "-h                 Print this message\n"
+		  "-b                 Show Calibration in binary form \n"
+		  "\n"
+		  "Read options:\n"
+		  "-f                 Source file where to read calibration data from\n"
+		  "-o                 Offset in bytes within the file (default 0)\n"
+		  "Write options:\n"
+		  "-D                 FMC ADC Target Device ID\n"
+		  "\n", stdout);
+}

 /**
 * Read calibration data from file
@@ -49,7 +52,7 @@ static const char help_msg[] =
 *
 * Return: number of bytes read
 */
-static int fau_calibration_read(char *path, struct fa_calib *calib,
+static int fau_calibration_read(const char *path, struct fa_calib *calib,
 				off_t offset)
 {
 	int fd;
@@ -59,8 +62,13 @@ static int fau_calibration_read(char *path, struct fa_calib *calib,
 	if (fd < 0)
 		return -1;
 	ret = lseek(fd, offset, SEEK_SET);
-	if (ret >= 0)
+	if (ret >= 0) {
 		ret = read(fd, calib, sizeof(*calib));
+		if (ret != sizeof(*calib)) {
+			ret = -1;
+			errno =EINVAL;
+		}
+	}
 	close(fd);

 	return ret;
@@ -121,11 +129,11 @@ static int fau_calibration_dump_machine(struct fa_calib *calib)
 */
 static int fau_calibration_write(unsigned int devid, struct fa_calib *calib)
 {
-	char path[128];
+	char path[55]; // store exactly the path we need
 	int fd;
 	int ret;

-	sprintf(path,
+	snprintf(path, sizeof(path),
 		"/sys/bus/zio/devices/adc-100m14b-%04x/calibration_data",
 		devid);

@@ -151,8 +159,8 @@ int main(int argc, char *argv[])
 	while ((c = getopt(argc, argv, options)) != -1) {
 		switch (c) {
 		default:
-		case 'h':
-			fprintf(stderr, help_msg);
+			case 'h':
+			fau_calibration_help();
 			exit(EXIT_SUCCESS);
 		case 'D':
 			ret = sscanf(optarg, "0x%x", &devid);

--- a/software/tools/fau-trg-config.c
+++ b/software/tools/fau-trg-config.c
@@ -12,16 +12,20 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <getopt.h>
+#include <errno.h>
 #include <string.h>
 #include <unistd.h>
+#include <limits.h>
 #include <fcntl.h>
 #include <errno.h>

 static char git_version[] = "version: " GIT_VERSION;

+#define path_len 200
 #define buf_len 50
+#define base_len 40
 /* user will edit by adding the device name */
-char basepath[40] = "/sys/bus/zio/devices/";
+char basepath[base_len] = "/sys/bus/zio/devices/";

 enum fau_attribute {
 	FAU_TRG_EN,
@@ -54,19 +58,21 @@ const char *attribute[] = {
 int fau_write_attribute(enum fau_attribute attr, uint32_t val)
 {
 	int  ret, fd;
-	char buf[buf_len], fullpath[200];
+	char buf[buf_len], fullpath[path_len];

 	/* convert val to string */
-	sprintf(buf,"%u",val);
+	snprintf(buf, buf_len, "%u",val);
 	/* build the attribute path */
-	strcpy(fullpath, basepath);
-	strcat(fullpath, attribute[attr]);
+	strncpy(fullpath, basepath, path_len);
+	if (path_len > 0)
+		fullpath[path_len -1] = '\0';
+	strncat(fullpath, attribute[attr], path_len);
 	/* Write the attribute */
 	printf("Writing %s in %s\n", buf, fullpath);
 	fd = open(fullpath, O_WRONLY);
 	if (fd < 0)
 		return -ENOENT;
-	ret = write(fd, buf, strlen(buf));
+	ret = write(fd, buf, strnlen(buf, buf_len));
 	close(fd);
 	return ret;
 }
@@ -102,6 +108,19 @@ static void print_version(char *pname)
 	printf("%s %s\n", pname, git_version);
 }

+
+static long strtol_or_die(const char *arg)
+{
+	long val = strtol(arg, NULL, 0);
+
+	if ((errno == ERANGE && (val == LONG_MAX || val == LONG_MIN)) || (errno != 0 && val == 0)) {
+		fprintf(stderr, "Can't convert \"%s\" to integer\n", optarg);
+		exit(EXIT_FAILURE);
+	}
+
+	return val;
+}
+
 int main(int argc, char *argv[])
 {
 	/* default attribute */
@@ -137,22 +156,22 @@ int main(int argc, char *argv[])
 						options, &opt_index)) >=0 ){
 		switch(c){
 		case 'p':
-			attrval[FAU_TRG_PRE] = atoi(optarg);
+			attrval[FAU_TRG_PRE] = strtol_or_die(optarg);
 			break;
 		case 'P':
-			attrval[FAU_TRG_PST] = atoi(optarg);
+			attrval[FAU_TRG_PST] = strtol_or_die(optarg);
 			break;
 		case 'n':
-			attrval[FAU_TRG_RE_EN] = atoi(optarg);
+			attrval[FAU_TRG_RE_EN] = strtol_or_die(optarg);
 			break;
 		case 'd':
-			attrval[FAU_TRG_DLY] = atoi(optarg);
+			attrval[FAU_TRG_DLY] = strtol_or_die(optarg);
 			break;
 		case 't':
-			attrval[FAU_TRG_THR] = atoi(optarg);
+			attrval[FAU_TRG_THR] = strtol_or_die(optarg);
 			break;
 		case 'c':
-			attrval[FAU_TRG_CHN] = atoi(optarg);
+			attrval[FAU_TRG_CHN] = strtol_or_die(optarg);
 			break;
 		case 'V':
 			print_version(argv[0]);
@@ -171,7 +190,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}

-	strcat(basepath, argv[optind]);
+	strncat(basepath, argv[optind], base_len);
 	printf("Sysfs path to device is: %s\n", basepath);

 	for (i = 0; i < FAU_TRIG_NUM_ATTR; ++i) {