From 68e7cb49b404392a8bc838ec63bb0fa32a1e48f3 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 10 Nov 2009 18:29:38 +0200 Subject: [PATCH] dbus: Use snprintf() and bounds checking instead of strcat() Better make sure we do not end up writing over the end of the local registered_sig buffer regardless of how many arguments are used in dbus method description. --- wpa_supplicant/ctrl_iface_dbus_new_helpers.c | 21 ++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/wpa_supplicant/ctrl_iface_dbus_new_helpers.c b/wpa_supplicant/ctrl_iface_dbus_new_helpers.c index 78db8127b..98414a543 100644 --- a/wpa_supplicant/ctrl_iface_dbus_new_helpers.c +++ b/wpa_supplicant/ctrl_iface_dbus_new_helpers.c @@ -970,22 +970,27 @@ static DBusMessage * get_all_properties( } -static int is_signature_correct(DBusMessage * message, +static int is_signature_correct(DBusMessage *message, struct wpa_dbus_method_desc *method_dsc) { /* According to DBus documentation max length of signature is 255 */ - #define MAX_SIG_LEN 256 - - char registered_sig[MAX_SIG_LEN]; +#define MAX_SIG_LEN 256 + char registered_sig[MAX_SIG_LEN], *pos; const char *sig = dbus_message_get_signature(message); - int i; + int i, ret; - registered_sig[0] = 0; + pos = registered_sig; + *pos = '\0'; for (i = 0; i < method_dsc->args_num; i++) { struct wpa_dbus_argument arg = method_dsc->args[i]; - if (arg.dir == ARG_IN) - strcat(registered_sig, arg.type); + if (arg.dir == ARG_IN) { + size_t blen = registered_sig + MAX_SIG_LEN - pos; + ret = os_snprintf(pos, blen, "%s", arg.type); + if (ret < 0 || (size_t) ret >= blen) + return 0; + pos += ret; + } } return !os_strncmp(registered_sig, sig, MAX_SIG_LEN);