sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-09 00:00:53 -04:00
Code Issues Projects Releases Wiki Activity

stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminated

Browse Source 
Otherwise a malicious user could send an unterminated string to cause
unterminated reads.
This commit is contained in:
Tobias Brunner 2013-11-29 17:42:11 +01:00
parent 5ab03863b0
commit f44b1eb444
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/libcharon/plugins/stroke/stroke_socket.c
View File

@ -623,8 +623,8 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
return FALSE; return FALSE;
} }
/* read message */ /* read message (we need an additional byte to terminate the buffer) */
msg = malloc(len); msg = malloc(len + 1);
msg->length = len; msg->length = len;
if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len))) if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
{ {
@ -635,6 +635,9 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
free(msg); free(msg);
return FALSE; return FALSE;
} }
/* make sure even incorrectly unterminated strings don't extend over the
* message boundaries */
((char*)msg)[len] = '\0';
DBG3(DBG_CFG, "stroke message %b", (void*)msg, len); DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);