aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@gnumonks.org>2013-05-12 20:43:26 +0200
committerPablo Neira Ayuso <pablo@gnumonks.org>2013-05-12 20:44:00 +0200
commita2c7f909ef930f7ca098fc5e4b97255dd90878ba (patch)
tree751870044e0f51265e3b5616654b9ea19e1ec66e /src
parent282aee422f27795a8445c1d78f9463f2a15d0573 (diff)
osmux: add sanity checking to osmux_snprintf
Add sanity checking to avoid crashes on malformed OSMUX packets
Diffstat (limited to 'src')
-rw-r--r--src/osmux.c23
1 files changed, 18 insertions, 5 deletions
diff --git a/src/osmux.c b/src/osmux.c
index 61aebb5..8213525 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -572,17 +572,32 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
unsigned int offset = 0;
int msg_len = msg->len, len = size;
struct osmux_hdr *osmuxh = (struct osmux_hdr *)msg->data;
- int this_len;
+ int this_len = 0;
while (msg_len > 0) {
- this_len = sizeof(struct osmux_hdr) +
- osmux_get_payload_len(osmuxh);
+ if (msg_len < sizeof(struct osmux_hdr)) {
+ LOGP(DLMIB, LOGL_ERROR,
+ "No room for OSMUX header: only %d bytes\n",
+ msg_len);
+ return -1;
+ }
+ osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + this_len);
ret = osmux_snprintf_header(buf+offset, size, osmuxh);
if (ret < 0)
break;
SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+ this_len = sizeof(struct osmux_hdr) +
+ osmux_get_payload_len(osmuxh);
+
+ if (msg_len < this_len) {
+ LOGP(DLMIB, LOGL_ERROR,
+ "No room for OSMUX payload: only %d bytes\n",
+ msg_len);
+ return -1;
+ }
+
ret = osmux_snprintf_payload(buf+offset, size,
osmux_get_payload(osmuxh),
osmux_get_payload_len(osmuxh));
@@ -591,8 +606,6 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
msg_len -= this_len;
-
- osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + this_len);
}
return offset;