tpm2-software/tpm2-tss

Tss2_PolicyGetDescription() does not null-terminate

joholl opened this issue · 0 comments

Tss2_PolicyGetDescription() returns a description field as a string (it uses strlen() internally), but it does not null-terminate the string for the caller. Instead of memcpy(), strcpy() should be used (and len/*size will have to be incremented by one).

I found this issue using clang-tidy. This is going to be fixed in an upcoming PR by me.

/** Retrieve the description field of a policy.
*
* The policy description is only a valid pointer for the lifetime of policy_ctx.
*
* @param[in] policy_ctx The policy context from Tss2_PolicyInstantiate.
* @param[in] description The description from the policy file.
*
* @retval TSS2_RC_SUCCESS After the end of the wait.
* @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
*/
TSS2_RC
Tss2_PolicyGetDescription(
TSS2_POLICY_CTX *policy_ctx,
char *buffer,
size_t *size)
{
policy_check_not_null(policy_ctx);
policy_check_not_null(size);
LOG_TRACE("called for policy_path(%s)",
policy_ctx->path);
const char *description = policy_ctx->policy.description;
size_t len = strlen(description);
/* NULL buffer let calller know size */
if (!buffer) {
*size = len;
return TSS2_RC_SUCCESS;
}
/* specified buffer but too small, let caller know size and error */
if (*size < len) {
*size = len;
return_if_error(TSS2_POLICY_RC_BUFFER_TOO_SMALL, "Specified buffer is too small");
}
/* all is well, copy it to user and let them know size */
*size = len;
memcpy(buffer, description, len);
LOG_TRACE("finished, returning: 0x0");
return TSS2_RC_SUCCESS;
}

I took the liberty to flag this as a bug. Feel free to remove the label if you think otherwise.