Fix out-of-bounds string manipulation causing segfault.

mcobbice · mcobbice · commit 6ab133294df5 · 2024-09-25T13:13:26.000+01:00
If registerForEvents() is called with "libredfish" for the postbackUri
parameter, the function accepts this string and passes a pointer to
'postbackUri+11' to getDestinationAddress. In this case, the pointer actually
points past the end of the string's null byte.
On CHERI architectures, such as ARM Morello, pointer bounds are enforced in
hardware and attempting to dereference the pointer passed to
getDestinationAddress() causes a segfault.

Valid values for postbackUri should include a colon after "libredfish",
checking for this as part of the strncmp call rejects the invalid string
"libredfish" and this also means that getDestinationAddress() is not passed
an invalid pointer. This prevents a segfault on CHERI and prevents undefined
behavior on other architectures.

Signed-off-by: Michael Cobb &lt;michael.cobb@iceotope.com&gt;
diff --git a/src/service.c b/src/service.c
@@ -932,7 +932,7 @@ bool registerForEvents(redfishService* service, const char* postbackUri, unsigne
     }
 
     //User wants libredfish to listen for events directly...
-    if(strncmp(postbackUri, "libredfish", 10) == 0)
+    if(strncmp(postbackUri, "libredfish:", 11) == 0)
     {
         destination = getDestinationAddress(postbackUri+11, &socket);
         if(destination == NULL)

Original file line number	Diff line number	Diff line change
`@@ -932,7 +932,7 @@ bool registerForEvents(redfishService* service, const char* postbackUri, unsigne`
`932`	`932`	`}`
`933`	`933`
`934`	`934`	`//User wants libredfish to listen for events directly...`
`935`		`- if(strncmp(postbackUri, "libredfish", 10) == 0)`
	`935`	`+ if(strncmp(postbackUri, "libredfish:", 11) == 0)`
`936`	`936`	`{`
`937`	`937`	`destination = getDestinationAddress(postbackUri+11, &socket);`
`938`	`938`	`if(destination == NULL)`