generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix broken strncat(..., strlen())

Browse Source 
commit 0edaf3361d replaced several
malloc()+strcat() sequences with strncat() using strlen() on the
*source* string.
This is still vulnerable to overwrite the *target* buffer.

While reviewing this commit change the code to directly use snprintf()
for concatenating strings and check the length of the target buffer.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
This commit is contained in:
Philipp Matthias Hahn
2014-05-01 10:41:20 +02:00
committed by Marcelo Roberto Jimenez
parent 04fb684323
commit 848d66e69d
2 changed files with 10 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
upnp/src/genlib/net/http/httpreadwrite.c
View File

@@ -481,13 +481,12 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...)
memset(Chunk_Header, 0,
sizeof(Chunk_Header));
rc = snprintf(Chunk_Header,
sizeof(Chunk_Header) - strlen ("\r\n"),
"%" PRIzx, num_read);
if (rc < 0 || (unsigned int) rc >= sizeof(Chunk_Header) - strlen ("\r\n")) {
sizeof(Chunk_Header),
"%" PRIzx "\r\n", num_read);
if (rc < 0 || (unsigned int) rc >= sizeof(Chunk_Header)) {
RetVal = UPNP_E_INTERNAL_ERROR;
goto Cleanup_File;
}
strncat(Chunk_Header, "\r\n", strlen ("\r\n"));
/* Copy the chunk size header */
memcpy(file_buf - strlen(Chunk_Header),
Chunk_Header,