stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminated
Otherwise a malicious user could send an unterminated string to cause unterminated reads.
This commit is contained in:
parent
5ab03863b0
commit
f44b1eb444
|
@ -623,8 +623,8 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
/* read message */
|
||||
msg = malloc(len);
|
||||
/* read message (we need an additional byte to terminate the buffer) */
|
||||
msg = malloc(len + 1);
|
||||
msg->length = len;
|
||||
if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
|
||||
{
|
||||
|
@ -635,6 +635,9 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
|
|||
free(msg);
|
||||
return FALSE;
|
||||
}
|
||||
/* make sure even incorrectly unterminated strings don't extend over the
|
||||
* message boundaries */
|
||||
((char*)msg)[len] = '\0';
|
||||
|
||||
DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);
|
||||
|
||||
|
|
Loading…
Reference in New Issue