diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-03-15 20:09:26 +0100 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-03-15 20:58:13 +0100 |
commit | b91013259fa806ad38acb02520b0a7091dd29f2a (patch) | |
tree | 794bef01d7df7215635906e5adee8f2d86e318b4 | |
parent | 0813db372b294b7789f506575b0ddb35173f809f (diff) |
openvpn: String returned from openvpn is not null-terminated
wireshark shows strings returned by OpenVPN management interface as an
aswer to "state" cmd contain no null character at the end. As a
consequence, osmo_strlcpy cannot be used since it calls strlen() on the
source.
Probably previous implementation was harmless because we zero-fill msgb
buffers prior to filling them.
Change-Id: I4356dc08324a6d877c9e8112306570aabbf6e777
-rw-r--r-- | src/osysmon_openvpn.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/osysmon_openvpn.c b/src/osysmon_openvpn.c index d9e38f0..5ca0c83 100644 --- a/src/osysmon_openvpn.c +++ b/src/osysmon_openvpn.c @@ -65,9 +65,10 @@ static char *parse_state(struct msgb *msg, struct openvpn_client *vpn) char *tok; unsigned int i = 0; uint8_t *m = msgb_data(msg); + unsigned int truncated_len = OSMO_MIN(sizeof(tmp) - 1, msgb_length(msg)); - if (msgb_length(msg) > 128) - OVPN_LOG(msg, vpn, "received message too long (%d > %u), truncating...\n", msgb_length(msg), 128); + if (msgb_length(msg) > truncated_len) + OVPN_LOG(msg, vpn, "received message too long (%d >= %u), truncating...\n", msgb_length(msg), truncated_len); if (msgb_length(msg) > 0) { if (!isdigit(m[0])) /* skip OpenVPN greetings and alike */ @@ -77,7 +78,8 @@ static char *parse_state(struct msgb *msg, struct openvpn_client *vpn) return NULL; } - OSMO_STRLCPY_ARRAY(tmp, (char *)m); + memcpy(tmp, m, truncated_len); + tmp[truncated_len] = '\0'; for (tok = strtok(tmp, ","); tok && i < MAX_RESP_COMPONENTS; tok = strtok(NULL, ",")) { /* The string format is documented in https://openvpn.net/community-resources/management-interface/ */ |