aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Tsou <tom.tsou@ettus.com>2016-04-28 21:55:17 -0700
committerTom Tsou <tom.tsou@ettus.com>2016-05-02 17:37:05 -0700
commit2c650a6895f573e4455f55f0d1ed136ba8ae4744 (patch)
treeb0a1317a4cda61ba1d90dab064e1909a1f1057b9
parentd4555f267e284d14e9e877f8f82da8bcc2d76d7a (diff)
common: Add mandatory length field to UDP receive calls
Current UDP receive reads up to MAX_UDP_LENGTH bytes into the passed in buffer, which may lead to buffer overflow if the write buffer is of insufficient size. Add mandatory length argument to UDP socket receive calls. Reported-by: Simone Margaritelli <simone@zimperium.com> Signed-off-by: Tom Tsou <tom.tsou@ettus.com>
-rw-r--r--CommonLibs/Sockets.cpp22
-rw-r--r--CommonLibs/Sockets.h4
-rw-r--r--CommonLibs/SocketsTest.cpp4
-rw-r--r--Transceiver52M/Transceiver.cpp4
4 files changed, 15 insertions, 19 deletions
diff --git a/CommonLibs/Sockets.cpp b/CommonLibs/Sockets.cpp
index c502a78..9030a86 100644
--- a/CommonLibs/Sockets.cpp
+++ b/CommonLibs/Sockets.cpp
@@ -187,24 +187,20 @@ int DatagramSocket::send(const struct sockaddr* dest, const char * message)
return send(dest,message,length);
}
-
-
-
-
-int DatagramSocket::read(char* buffer)
+int DatagramSocket::read(char* buffer, size_t length)
{
- socklen_t temp_len = sizeof(mSource);
- int length = recvfrom(mSocketFD, (void*)buffer, MAX_UDP_LENGTH, 0,
- (struct sockaddr*)&mSource,&temp_len);
- if ((length==-1) && (errno!=EAGAIN)) {
+ socklen_t addr_len = sizeof(mSource);
+ int rd_length = recvfrom(mSocketFD, (void *) buffer, length, 0,
+ (struct sockaddr*) &mSource, &addr_len);
+
+ if ((rd_length==-1) && (errno!=EAGAIN)) {
perror("DatagramSocket::read() failed");
throw SocketError();
}
- return length;
+ return rd_length;
}
-
-int DatagramSocket::read(char* buffer, unsigned timeout)
+int DatagramSocket::read(char* buffer, size_t length, unsigned timeout)
{
fd_set fds;
FD_ZERO(&fds);
@@ -218,7 +214,7 @@ int DatagramSocket::read(char* buffer, unsigned timeout)
throw SocketError();
}
if (sel==0) return -1;
- if (FD_ISSET(mSocketFD,&fds)) return read(buffer);
+ if (FD_ISSET(mSocketFD,&fds)) return read(buffer, length);
return -1;
}
diff --git a/CommonLibs/Sockets.h b/CommonLibs/Sockets.h
index c79f79a..0a70269 100644
--- a/CommonLibs/Sockets.h
+++ b/CommonLibs/Sockets.h
@@ -108,7 +108,7 @@ public:
@param buffer A char[MAX_UDP_LENGTH] procured by the caller.
@return The number of bytes received or -1 on non-blocking pass.
*/
- int read(char* buffer);
+ int read(char* buffer, size_t length);
/**
Receive a packet with a timeout.
@@ -116,7 +116,7 @@ public:
@param maximum wait time in milliseconds
@return The number of bytes received or -1 on timeout.
*/
- int read(char* buffer, unsigned timeout);
+ int read(char* buffer, size_t length, unsigned timeout);
/** Send a packet to a given destination, other than the default. */
diff --git a/CommonLibs/SocketsTest.cpp b/CommonLibs/SocketsTest.cpp
index 9a4997b..1fa8bbd 100644
--- a/CommonLibs/SocketsTest.cpp
+++ b/CommonLibs/SocketsTest.cpp
@@ -42,7 +42,7 @@ void *testReaderIP(void *)
int rc = 0;
while (rc<gNumToSend) {
char buf[MAX_UDP_LENGTH];
- int count = readSocket.read(buf);
+ int count = readSocket.read(buf, MAX_UDP_LENGTH);
if (count>0) {
COUT("read: " << buf);
rc++;
@@ -62,7 +62,7 @@ void *testReaderUnix(void *)
int rc = 0;
while (rc<gNumToSend) {
char buf[MAX_UDP_LENGTH];
- int count = readSocket.read(buf);
+ int count = readSocket.read(buf, MAX_UDP_LENGTH);
if (count>0) {
COUT("read: " << buf);
rc++;
diff --git a/Transceiver52M/Transceiver.cpp b/Transceiver52M/Transceiver.cpp
index 7f13a09..23eea23 100644
--- a/Transceiver52M/Transceiver.cpp
+++ b/Transceiver52M/Transceiver.cpp
@@ -704,7 +704,7 @@ void Transceiver::driveControl(size_t chan)
int msgLen = -1;
buffer[0] = '\0';
- msgLen = mCtrlSockets[chan]->read(buffer);
+ msgLen = mCtrlSockets[chan]->read(buffer, sizeof(buffer));
if (msgLen < 1) {
return;
@@ -872,7 +872,7 @@ bool Transceiver::driveTxPriorityQueue(size_t chan)
char buffer[gSlotLen+50];
// check data socket
- size_t msgLen = mDataSockets[chan]->read(buffer);
+ size_t msgLen = mDataSockets[chan]->read(buffer, sizeof(buffer));
if (msgLen!=gSlotLen+1+4+1) {
LOG(ERR) << "badly formatted packet on GSM->TRX interface";