From 84aa522629f32c10b81a082f2ee91adff67c90f1 Mon Sep 17 00:00:00 2001 From: tilghman Date: Fri, 7 Mar 2008 06:54:47 +0000 Subject: Merged revisions 106552 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r106552 | tilghman | 2008-03-07 00:36:33 -0600 (Fri, 07 Mar 2008) | 6 lines Safely use the strncat() function. (closes issue #11958) Reported by: norman Patches: 20080209__bug11958.diff.txt uploaded by Corydon76 (license 14) ........ git-svn-id: http://svn.digium.com/svn/asterisk/trunk@106553 f38db490-d61c-443f-a65b-d21fe96a405b --- apps/app_chanspy.c | 2 +- apps/app_rpt.c | 4 ++-- apps/app_speech_utils.c | 2 +- apps/app_voicemail.c | 4 ++-- channels/chan_misdn.c | 8 ++++---- channels/chan_sip.c | 4 ++-- funcs/func_enum.c | 2 +- funcs/func_odbc.c | 2 +- funcs/func_strings.c | 6 +++--- main/asterisk.c | 8 +++++--- main/channel.c | 4 ++-- main/frame.c | 6 +++--- utils/extconf.c | 2 +- 13 files changed, 28 insertions(+), 26 deletions(-) diff --git a/apps/app_chanspy.c b/apps/app_chanspy.c index e0377d35f..0bf676891 100644 --- a/apps/app_chanspy.c +++ b/apps/app_chanspy.c @@ -682,7 +682,7 @@ static int common_exec(struct ast_channel *chan, const struct ast_flags *flags, continue; strcpy(peer_name, "spy-"); - strncat(peer_name, peer->name, AST_NAME_STRLEN); + strncat(peer_name, peer->name, AST_NAME_STRLEN - 4 - 1); ptr = strchr(peer_name, '/'); *ptr++ = '\0'; diff --git a/apps/app_rpt.c b/apps/app_rpt.c index f703aaec0..0957af0ea 100644 --- a/apps/app_rpt.c +++ b/apps/app_rpt.c @@ -3321,7 +3321,7 @@ static int function_macro(struct rpt *myrpt, char *param, char *digitbuf, int co return DC_ERROR; } myrpt->macrotimer = MACROTIME; - strncat(myrpt->macrobuf, val, sizeof(myrpt->macrobuf) - 1); + strncat(myrpt->macrobuf, val, sizeof(myrpt->macrobuf) - strlen(myrpt->macrobuf) - 1); rpt_mutex_unlock(&myrpt->lock); return DC_COMPLETE; } @@ -3369,7 +3369,7 @@ static int function_gosub(struct rpt *myrpt, char *param, char *digitbuf, int co return DC_ERROR; } myrpt->gosubtimer = GOSUBTIME; - strncat(myrpt->gosubbuf, val, sizeof(myrpt->gosubbuf) - 1); + strncat(myrpt->gosubbuf, val, sizeof(myrpt->gosubbuf) - strlen(myrpt->gosubbuf) - 1); rpt_mutex_unlock(&myrpt->lock); return DC_COMPLETE; } diff --git a/apps/app_speech_utils.c b/apps/app_speech_utils.c index 2445955f4..221d2eb5c 100644 --- a/apps/app_speech_utils.c +++ b/apps/app_speech_utils.c @@ -696,7 +696,7 @@ static int speech_background(struct ast_channel *chan, void *data) } time(&start); snprintf(tmp, sizeof(tmp), "%c", f->subclass); - strncat(dtmf, tmp, sizeof(dtmf)); + strncat(dtmf, tmp, sizeof(dtmf) - strlen(dtmf) - 1); /* If the maximum length of the DTMF has been reached, stop now */ if (max_dtmf_len && strlen(dtmf) == max_dtmf_len) done = 1; diff --git a/apps/app_voicemail.c b/apps/app_voicemail.c index e250c1fe3..84b1f3101 100644 --- a/apps/app_voicemail.c +++ b/apps/app_voicemail.c @@ -4085,8 +4085,8 @@ static int vm_forwardoptions(struct ast_channel *chan, struct ast_vm_user *vmu, make_file(msgfile, sizeof(msgfile), curdir, curmsg); strcpy(textfile, msgfile); strcpy(backup, msgfile); - strncat(textfile, ".txt", sizeof(textfile) - 1); - strncat(backup, "-bak", sizeof(backup) - 1); + strncat(textfile, ".txt", sizeof(textfile) - strlen(textfile) - 1); + strncat(backup, "-bak", sizeof(backup) - strlen(backup) - 1); msg_cfg = ast_config_load(textfile, config_flags); diff --git a/channels/chan_misdn.c b/channels/chan_misdn.c index 252b00438..f94f2527b 100644 --- a/channels/chan_misdn.c +++ b/channels/chan_misdn.c @@ -2384,12 +2384,12 @@ static int misdn_digit_end(struct ast_channel *ast, char digit, unsigned int dur switch (p->state ) { case MISDN_CALLING: if (strlen(bc->infos_pending) < sizeof(bc->infos_pending) - 1) - strncat(bc->infos_pending, buf, sizeof(bc->infos_pending) - 1); + strncat(bc->infos_pending, buf, sizeof(bc->infos_pending) - strlen(bc->infos_pending) - 1); break; case MISDN_CALLING_ACKNOWLEDGE: ast_copy_string(bc->info_dad, buf, sizeof(bc->info_dad)); if (strlen(bc->dad) < sizeof(bc->dad) - 1) - strncat(bc->dad, buf, sizeof(bc->dad) - 1); + strncat(bc->dad, buf, sizeof(bc->dad) - strlen(bc->dad) - 1); ast_copy_string(p->ast->exten, bc->dad, sizeof(p->ast->exten)); misdn_lib_send_event( bc, EVENT_INFORMATION); break; @@ -4112,7 +4112,7 @@ cb_events(enum event_e event, struct misdn_bchannel *bc, void *user_data) ast_copy_string(bc->info_dad, bc->keypad, sizeof(bc->info_dad)); } - strncat(bc->dad,bc->info_dad, sizeof(bc->dad) - 1); + strncat(bc->dad,bc->info_dad, sizeof(bc->dad) - strlen(bc->dad) - 1); ast_copy_string(ch->ast->exten, bc->dad, sizeof(ch->ast->exten)); /* Check for Pickup Request first */ @@ -4186,7 +4186,7 @@ cb_events(enum event_e event, struct misdn_bchannel *bc, void *user_data) misdn_cfg_get(0, MISDN_GEN_APPEND_DIGITS2EXTEN, &digits, sizeof(digits)); if (ch->state != MISDN_CONNECTED ) { if (digits) { - strncat(bc->dad, bc->info_dad, sizeof(bc->dad) - 1); + strncat(bc->dad, bc->info_dad, sizeof(bc->dad) - strlen(bc->dad) - 1); ast_copy_string(ch->ast->exten, bc->dad, sizeof(ch->ast->exten)); ast_cdr_update(ch->ast); } diff --git a/channels/chan_sip.c b/channels/chan_sip.c index fa9052dfa..40645214a 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -2208,7 +2208,7 @@ static void *_sip_tcp_helper_thread(struct sip_pvt *pvt, struct ast_tcptls_serve ast_mutex_unlock(req.socket.lock); if (me->stop) goto cleanup; - strncat(req.data, buf, sizeof(req.data) - req.len); + strncat(req.data, buf, sizeof(req.data) - req.len - 1); req.len = strlen(req.data); } parse_copy(&reqcpy, &req); @@ -2223,7 +2223,7 @@ static void *_sip_tcp_helper_thread(struct sip_pvt *pvt, struct ast_tcptls_serve if (me->stop) goto cleanup; cl -= strlen(buf); - strncat(req.data, buf, sizeof(req.data) - req.len); + strncat(req.data, buf, sizeof(req.data) - req.len - 1); req.len = strlen(req.data); } } diff --git a/funcs/func_enum.c b/funcs/func_enum.c index d69881955..a60b748a7 100644 --- a/funcs/func_enum.c +++ b/funcs/func_enum.c @@ -93,7 +93,7 @@ static int function_enum(struct ast_channel *chan, const char *cmd, char *data, for (s = p = args.number; *s; s++) { if (*s != '-') { snprintf(tmp, sizeof(tmp), "%c", *s); - strncat(num, tmp, sizeof(num)); + strncat(num, tmp, sizeof(num) - strlen(num) - 1); } } diff --git a/funcs/func_odbc.c b/funcs/func_odbc.c index fe7e9896d..13701873f 100644 --- a/funcs/func_odbc.c +++ b/funcs/func_odbc.c @@ -379,7 +379,7 @@ static int acf_odbc_read(struct ast_channel *chan, const char *cmd, char *s, cha } if (!ast_strlen_zero(colnames)) - strncat(colnames, ",", sizeof(colnames) - 1); + strncat(colnames, ",", sizeof(colnames) - strlen(colnames) - 1); namelen = strlen(colnames); /* Copy data, encoding '\' and ',' for the argument parser */ diff --git a/funcs/func_strings.c b/funcs/func_strings.c index aaa4b0a97..45d476ef2 100644 --- a/funcs/func_strings.c +++ b/funcs/func_strings.c @@ -322,7 +322,7 @@ static int hashkeys_read(struct ast_channel *chan, const char *cmd, char *data, AST_LIST_TRAVERSE(&chan->varshead, newvar, entries) { if (strncasecmp(prefix, ast_var_name(newvar), plen) == 0) { /* Copy everything after the prefix */ - strncat(buf, ast_var_name(newvar) + plen, len); + strncat(buf, ast_var_name(newvar) + plen, len - strlen(buf) - 1); /* Trim the trailing ~ */ buf[strlen(buf) - 1] = ','; } @@ -387,8 +387,8 @@ static int hash_read(struct ast_channel *chan, const char *cmd, char *data, char for (i = 0; i < arg2.argc; i++) { snprintf(varname, sizeof(varname), HASH_FORMAT, arg.hashname, arg2.col[i]); varvalue = pbx_builtin_getvar_helper(chan, varname); - strncat(buf, varvalue, len); - strncat(buf, ",", len); + strncat(buf, varvalue, len - strlen(buf) - 1); + strncat(buf, ",", len - strlen(buf) - 1); } /* Strip trailing comma */ diff --git a/main/asterisk.c b/main/asterisk.c index 21aee3b6e..37cc579cb 100644 --- a/main/asterisk.c +++ b/main/asterisk.c @@ -2061,10 +2061,12 @@ static char *cli_prompt(EditLine *el) if (color_used) { /* Force colors back to normal at end */ term_color_code(term_code, COLOR_WHITE, COLOR_BLACK, sizeof(term_code)); - if (strlen(term_code) > sizeof(prompt) - strlen(prompt)) - strncat(prompt + sizeof(prompt) - strlen(term_code) - 1, term_code, strlen(term_code)); - else + if (strlen(term_code) > sizeof(prompt) - strlen(prompt) - 1) { + ast_copy_string(prompt + sizeof(prompt) - strlen(term_code) - 1, term_code, strlen(term_code) + 1); + } else { + /* This looks wrong, but we've already checked the length of term_code to ensure it's safe */ strncat(p, term_code, sizeof(term_code)); + } } } else if (remotehostname) snprintf(prompt, sizeof(prompt), ASTERISK_PROMPT2, remotehostname); diff --git a/main/channel.c b/main/channel.c index 3c68a71b7..20c2ee497 100644 --- a/main/channel.c +++ b/main/channel.c @@ -4774,12 +4774,12 @@ char *ast_print_group(char *buf, int buflen, ast_group_t group) for (i = 0; i <= 63; i++) { /* Max group is 63 */ if (group & ((ast_group_t) 1 << i)) { if (!first) { - strncat(buf, ", ", buflen); + strncat(buf, ", ", buflen - strlen(buf) - 1); } else { first = 0; } snprintf(num, sizeof(num), "%u", i); - strncat(buf, num, buflen); + strncat(buf, num, buflen - strlen(buf) - 1); } } return buf; diff --git a/main/frame.c b/main/frame.c index 940ff5c5c..f2ceabf16 100644 --- a/main/frame.c +++ b/main/frame.c @@ -992,16 +992,16 @@ int ast_codec_pref_string(struct ast_codec_pref *pref, char *buf, size_t size) slen = strlen(formatname); if (slen > total_len) break; - strncat(buf,formatname,total_len); + strncat(buf, formatname, total_len - 1); /* safe */ total_len -= slen; } if (total_len && x < 31 && ast_codec_pref_index(pref , x + 1)) { - strncat(buf,"|",total_len); + strncat(buf, "|", total_len - 1); /* safe */ total_len--; } } if (total_len) { - strncat(buf,")",total_len); + strncat(buf, ")", total_len - 1); /* safe */ total_len--; } diff --git a/utils/extconf.c b/utils/extconf.c index c5b9fbdea..5d4b21eac 100644 --- a/utils/extconf.c +++ b/utils/extconf.c @@ -476,7 +476,7 @@ static void CB_ADD_LEN(char *str, int len) return; comment_buffer_size += CB_INCR+len+1; } - strncat(comment_buffer,str,len); + strncat(comment_buffer,str,len); /* safe */ comment_buffer[cbl+len-1] = 0; } -- cgit v1.2.3