From c166a030a1be0e4006605dd12190741986e0f9f2 Mon Sep 17 00:00:00 2001
From: Sander Vrijders <sander.vrijders@ugent.be>
Date: Thu, 27 Sep 2018 11:36:42 +0200
Subject: tools: Fix memleaks and buffer overflows in irm tool

This fixes some memleaks and potential buffer overflows in the irm
tool.

Signed-off-by: Sander Vrijders <sander.vrijders@ugent.be>
Signed-off-by: Dimitri Staessens <dimitri.staessens@ugent.be>
---
 include/ouroboros/ipcp.h           | 4 ++--
 src/tools/irm/irm_ipcp_bootstrap.c | 7 ++++++-
 src/tools/irm/irm_ipcp_destroy.c   | 1 +
 src/tools/irm/irm_unregister.c     | 7 +++++--
 4 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/include/ouroboros/ipcp.h b/include/ouroboros/ipcp.h
index c7013f08..e423a015 100644
--- a/include/ouroboros/ipcp.h
+++ b/include/ouroboros/ipcp.h
@@ -27,7 +27,7 @@
 #include <unistd.h>
 #include <stdbool.h>
 
-#define LAYER_NAME_SIZE 256
+#define LAYER_NAME_SIZE 255
 
 /*
  * NOTE: the IRMd uses this order to select an IPCP
@@ -67,7 +67,7 @@ enum pol_dir_hash {
 
 /* Info reported back to the IRMd about the layer on enrollment */
 struct layer_info {
-        char layer_name[LAYER_NAME_SIZE];
+        char layer_name[LAYER_NAME_SIZE + 1];
         int  dir_hash_algo;
 };
 
diff --git a/src/tools/irm/irm_ipcp_bootstrap.c b/src/tools/irm/irm_ipcp_bootstrap.c
index e1f75956..3d9386ad 100644
--- a/src/tools/irm/irm_ipcp_bootstrap.c
+++ b/src/tools/irm/irm_ipcp_bootstrap.c
@@ -287,10 +287,15 @@ int do_bootstrap_ipcp(int     argc,
 
                         if (autobind && conf.type != IPCP_NORMAL) {
                                 printf("Can only bind normal IPCPs, "
-                                       "autobind disabled.\n");
+                                       "autobind disabled.\n\n");
                                 autobind = false;
                         }
 
+                        if (strlen(layer) > LAYER_NAME_SIZE) {
+                                printf("Layer name too big.\n\n");
+                                goto fail_usage;
+                        }
+
                         strcpy(conf.layer_info.layer_name, layer);
                         if (conf.type != IPCP_UDP)
                                 conf.layer_info.dir_hash_algo = hash_algo;
diff --git a/src/tools/irm/irm_ipcp_destroy.c b/src/tools/irm/irm_ipcp_destroy.c
index cb86b167..2d5ed983 100644
--- a/src/tools/irm/irm_ipcp_destroy.c
+++ b/src/tools/irm/irm_ipcp_destroy.c
@@ -89,6 +89,7 @@ int do_destroy_ipcp(int     argc,
                         break;
                 }
 
+        free(ipcps);
 
         return 0;
  fail_destroy:
diff --git a/src/tools/irm/irm_unregister.c b/src/tools/irm/irm_unregister.c
index 52491b42..137bc7e9 100644
--- a/src/tools/irm/irm_unregister.c
+++ b/src/tools/irm/irm_unregister.c
@@ -69,7 +69,7 @@ int do_unregister(int argc, char ** argv)
         char *             ipcp[MAX_IPCPS];
         size_t             ipcp_len   = 0;
         struct ipcp_info * ipcps;
-        size_t             len;
+        ssize_t            len;
         size_t             i;
 
         while (argc > 0) {
@@ -103,7 +103,10 @@ int do_unregister(int argc, char ** argv)
         }
 
         len = irm_list_ipcps(&ipcps);
-        for (i = 0; i < len; ++i) {
+        if (len < 0)
+                return -1;
+
+        for (i = 0; i < (size_t) len; ++i) {
                 size_t j;
                 for (j = 0; j < layers_len; j++) {
                         if (wildcard_match(ipcps[i].layer, layers[j]) == 0) {
-- 
cgit v1.2.3