From: Jouni Malinen Date: Tue, 10 Nov 2009 16:29:38 +0000 (+0200) Subject: dbus: Use snprintf() and bounds checking instead of strcat() X-Git-Tag: hostap_0_7_0~72 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=68e7cb49b404392a8bc838ec63bb0fa32a1e48f3;hp=d69780dcbb049ff00e5a33e974ab7e2025e5a571;p=libeap.git dbus: Use snprintf() and bounds checking instead of strcat() Better make sure we do not end up writing over the end of the local registered_sig buffer regardless of how many arguments are used in dbus method description. --- diff --git a/wpa_supplicant/ctrl_iface_dbus_new_helpers.c b/wpa_supplicant/ctrl_iface_dbus_new_helpers.c index 78db812..98414a5 100644 --- a/wpa_supplicant/ctrl_iface_dbus_new_helpers.c +++ b/wpa_supplicant/ctrl_iface_dbus_new_helpers.c @@ -970,22 +970,27 @@ static DBusMessage * get_all_properties( } -static int is_signature_correct(DBusMessage * message, +static int is_signature_correct(DBusMessage *message, struct wpa_dbus_method_desc *method_dsc) { /* According to DBus documentation max length of signature is 255 */ - #define MAX_SIG_LEN 256 - - char registered_sig[MAX_SIG_LEN]; +#define MAX_SIG_LEN 256 + char registered_sig[MAX_SIG_LEN], *pos; const char *sig = dbus_message_get_signature(message); - int i; + int i, ret; - registered_sig[0] = 0; + pos = registered_sig; + *pos = '\0'; for (i = 0; i < method_dsc->args_num; i++) { struct wpa_dbus_argument arg = method_dsc->args[i]; - if (arg.dir == ARG_IN) - strcat(registered_sig, arg.type); + if (arg.dir == ARG_IN) { + size_t blen = registered_sig + MAX_SIG_LEN - pos; + ret = os_snprintf(pos, blen, "%s", arg.type); + if (ret < 0 || (size_t) ret >= blen) + return 0; + pos += ret; + } } return !os_strncmp(registered_sig, sig, MAX_SIG_LEN);