From 6ab133294df5ab7bba470f8cc15aa78fa5ea5cdc Mon Sep 17 00:00:00 2001 From: Michael Cobb Date: Wed, 19 Jun 2024 16:28:44 +0100 Subject: [PATCH] Fix out-of-bounds string manipulation causing segfault. If registerForEvents() is called with "libredfish" for the postbackUri parameter, the function accepts this string and passes a pointer to 'postbackUri+11' to getDestinationAddress. In this case, the pointer actually points past the end of the string's null byte. On CHERI architectures, such as ARM Morello, pointer bounds are enforced in hardware and attempting to dereference the pointer passed to getDestinationAddress() causes a segfault. Valid values for postbackUri should include a colon after "libredfish", checking for this as part of the strncmp call rejects the invalid string "libredfish" and this also means that getDestinationAddress() is not passed an invalid pointer. This prevents a segfault on CHERI and prevents undefined behavior on other architectures. Signed-off-by: Michael Cobb --- src/service.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/service.c b/src/service.c index 03ac0bb..7b68bbd 100644 --- a/src/service.c +++ b/src/service.c @@ -932,7 +932,7 @@ bool registerForEvents(redfishService* service, const char* postbackUri, unsigne } //User wants libredfish to listen for events directly... - if(strncmp(postbackUri, "libredfish", 10) == 0) + if(strncmp(postbackUri, "libredfish:", 11) == 0) { destination = getDestinationAddress(postbackUri+11, &socket); if(destination == NULL)