From eab0cc3b9d6f71eb74d0fb0bc75cf0fbc4646bc1 Mon Sep 17 00:00:00 2001
From: reyk <reyk@openbsd.org>
Date: Wed, 11 Jul 2018 21:29:05 +0000
Subject: [PATCH] check string lengths in vm_start

---
 usr.sbin/vmctl/vmctl.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/usr.sbin/vmctl/vmctl.c b/usr.sbin/vmctl/vmctl.c
index bfbc2c22801..c6dec18616a 100644
--- a/usr.sbin/vmctl/vmctl.c
+++ b/usr.sbin/vmctl/vmctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmctl.c,v 1.52 2018/07/11 13:19:47 reyk Exp $	*/
+/*	$OpenBSD: vmctl.c,v 1.53 2018/07/11 21:29:05 reyk Exp $	*/
 
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
@@ -104,8 +104,7 @@ vm_start(uint32_t start_id, const char *name, int memsize, int nnics,
 			warnx("starting without network interfaces");
 	}
 
-	vmc = calloc(1, sizeof(struct vmop_create_params));
-	if (vmc == NULL)
+	if ((vmc = calloc(1, sizeof(struct vmop_create_params))) == NULL)
 		return (ENOMEM);
 
 	vmc->vmc_flags = flags;
@@ -126,17 +125,24 @@ vm_start(uint32_t start_id, const char *name, int memsize, int nnics,
 	vcp->vcp_id = start_id;
 
 	for (i = 0 ; i < ndisks; i++)
-		strlcpy(vcp->vcp_disks[i], disks[i], VMM_MAX_PATH_DISK);
+		if (strlcpy(vcp->vcp_disks[i], disks[i],
+		    sizeof(vcp->vcp_disks[i])) >=
+		    sizeof(vcp->vcp_disks[i]))
+			errx(1, "disk path too long");
 	for (i = 0 ; i < nnics; i++) {
 		vmc->vmc_ifflags[i] = VMIFF_UP;
 
 		if (strcmp(".", nics[i]) == 0) {
 			/* Add a "local" interface */
-			strlcpy(vmc->vmc_ifswitch[i], "", IF_NAMESIZE);
+			(void)strlcpy(vmc->vmc_ifswitch[i], "",
+			    sizeof(vmc->vmc_ifswitch[i]));
 			vmc->vmc_ifflags[i] |= VMIFF_LOCAL;
 		} else {
 			/* Add an interface to a switch */
-			strlcpy(vmc->vmc_ifswitch[i], nics[i], IF_NAMESIZE);
+			if (strlcpy(vmc->vmc_ifswitch[i], nics[i],
+			    sizeof(vmc->vmc_ifswitch[i])) >=
+			    sizeof(vmc->vmc_ifswitch[i]))
+				errx(1, "interface name too long");
 		}
 	}
 	if (name != NULL) {
@@ -154,13 +160,18 @@ vm_start(uint32_t start_id, const char *name, int memsize, int nnics,
 				errx(1, "invalid VM name");
 		}
 
-		strlcpy(vcp->vcp_name, name, VMM_MAX_NAME_LEN);
+		if (strlcpy(vcp->vcp_name, name,
+		    sizeof(vcp->vcp_name)) >= sizeof(vcp->vcp_name))
+			errx(1, "vm name too long");
 	}
 	if (kernel != NULL)
-		strlcpy(vcp->vcp_kernel, kernel, VMM_MAX_KERNEL_PATH);
-
+		if (strlcpy(vcp->vcp_kernel, kernel,
+		    sizeof(vcp->vcp_kernel)) >= sizeof(vcp->vcp_kernel))
+			errx(1, "kernel name too long");
 	if (iso != NULL)
-		strlcpy(vcp->vcp_cdrom, iso, VMM_MAX_PATH_CDROM);
+		if (strlcpy(vcp->vcp_cdrom, iso,
+		    sizeof(vcp->vcp_cdrom)) >= sizeof(vcp->vcp_cdrom))
+			errx(1, "cdrom name too long");
 
 	imsg_compose(ibuf, IMSG_VMDOP_START_VM_REQUEST, 0, 0, -1,
 	    vmc, sizeof(struct vmop_create_params));
-- 
2.20.1