commit 357923dafda766429acbe68470c3bd6028d5ebf5
Author: Sathvika Vasireddy <sv@linux.ibm.com>
Date:   Sun May 5 02:48:25 2024 -0400

    rtas_errd: Fix core dump with large filename passed to -f option
    
    When a filename passed to rtas_errd's -f option is excessively long,
    it causes a stack buffer overflow in the _log_msg() function, leading
    to stack smashing.
    
    The _log_msg() function, utilized by log_msg(), operates with a buffer
    limited to 4096 characters. Additional space is consumed by _dbg() and
    re-formatting in _log_msg(), increasing the risk of buffer overflow.
    
    To address this, in case of an error, if the filename exceeds the
    length of 2048 characters, truncate it and log a message indicating the
    truncation. Use 2048 characters as limit for filename length to allow
    space for further modifications.
    
    Additionally, add a check when processing the -f option to ensure that
    the length of the specified filename does not exceed 4096 characters.
    
    Reported-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
    Closes: https://github.com/power-ras/ppc64-diag/issues/31
    Signed-off-by: Sathvika Vasireddy <sv@linux.ibm.com>
    Tested-by: R Nageswara Sastry<rnsastry@linux.ibm.com>
    Signed-off-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>

diff --git a/rtas_errd/files.c b/rtas_errd/files.c
index 4be75c6..3750bdc 100644
--- a/rtas_errd/files.c
+++ b/rtas_errd/files.c
@@ -284,10 +284,27 @@ init_files(void)
 		proc_error_log_fd = open(proc_error_log2, O_RDONLY);
 
 	if (proc_error_log_fd < 0) {
-		log_msg(NULL, "Could not open error log file at either %s or "
-			"%s, %s\nThe rtas_errd daemon cannot continue and will "
-			"exit", proc_error_log1, proc_error_log2,
-			strerror(errno));
+
+		if (strlen(proc_error_log1) <= 2048) {
+			log_msg(NULL, "Could not open error log file at either %s or "
+					"%s, %s\nThe rtas_errd daemon cannot continue and will "
+					"exit", proc_error_log1, proc_error_log2,
+					strerror(errno));
+		} else {
+			/* If the filename is too long, truncate it */
+			char truncated_filename[2048];
+
+			strncpy(truncated_filename, proc_error_log1,
+					sizeof(truncated_filename) - 1);
+			truncated_filename[sizeof(truncated_filename) - 1] = '\0';
+
+			log_msg(NULL, "Truncating the filename since it is too long "
+					"(%d characters)", strlen(proc_error_log1));
+			log_msg(NULL, "Could not open error log file at either %s or "
+					"%s, %s\nThe rtas_errd daemon cannot continue and will "
+					"exit", truncated_filename, proc_error_log2,
+					strerror(errno));
+		}
 		return -1;
 	}
 
diff --git a/rtas_errd/rtas_errd.c b/rtas_errd/rtas_errd.c
index 10c422c..f6c6a4a 100644
--- a/rtas_errd/rtas_errd.c
+++ b/rtas_errd/rtas_errd.c
@@ -30,6 +30,7 @@
 #include <sys/stat.h>
 #include <sys/wait.h>
 #include <librtas.h>
+#include <limits.h>
 
 #include "rtas_errd.h"
 #include "platform.h"
@@ -474,6 +475,12 @@ main(int argc, char *argv[])
 
 				f_flag++;
 				proc_error_log1 = optarg;
+				if (strlen(proc_error_log1) > PATH_MAX) {
+					fprintf(stderr, "The specified file path %s exceeds"
+							" the maximum supported file length of 4096 characters.\n",
+							proc_error_log1);
+					goto error_out;
+				}
 				proc_error_log2 = NULL;
 				break;