From 160df8433a95cbf7d5177a6975791d560397d5c7 Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Mon, 21 May 2018 23:49:58 +0800
Subject: [PATCH] DM: fix buffer overflow risk issues in hugetlb.c

Add buffer boundaries to avoid overflow

Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
---
 devicemodel/core/hugetlb.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/devicemodel/core/hugetlb.c b/devicemodel/core/hugetlb.c
index 183e70e9e..1272f993e 100644
--- a/devicemodel/core/hugetlb.c
+++ b/devicemodel/core/hugetlb.c
@@ -119,7 +119,7 @@ static int open_hugetlbfs(struct vmctx *ctx, int level)
 	strncpy(path, hugetlb_priv[level].mount_path, MAX_PATH_LEN);
 
 	/* UUID will use 32 bytes */
-	if (strlen(path) + 32 > MAX_PATH_LEN) {
+	if (strnlen(path, MAX_PATH_LEN) + 32 > MAX_PATH_LEN) {
 		perror("PATH overflow");
 		return -ENOMEM;
 	}
@@ -298,9 +298,10 @@ static int create_hugetlb_dirs(int level)
 		return -EINVAL;
 	}
 
-	strcpy(tmp_path, path);
+	memset(tmp_path, '\0', MAX_PATH_LEN);
+	strncpy(tmp_path, path, MAX_PATH_LEN - 1);
 
-	if (tmp_path[len - 1] != '/')
+	if ((tmp_path[len - 1] != '/') && (strlen(tmp_path) < MAX_PATH_LEN - 1))
 		strcat(tmp_path, "/");
 
 	len = strlen(tmp_path);