diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2013-11-29 17:42:11 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2014-01-23 10:15:07 +0100 |
| commit | f44b1eb4447085cff350bcd89dbcd080347b91f8 (patch) | |
| tree | 61aa5f63660d3ffd8e79a89edb9fbbba0bbb58a0 /src | |
| parent | 5ab03863b0b5558cf29c2386839c379506edd779 (diff) | |
| download | strongswan-f44b1eb4447085cff350bcd89dbcd080347b91f8.tar.bz2 strongswan-f44b1eb4447085cff350bcd89dbcd080347b91f8.tar.xz | |
stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminated
Otherwise a malicious user could send an unterminated string to cause
unterminated reads.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_socket.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 8c0f2ea7b..1f6ef6bf1 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -623,8 +623,8 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream) return FALSE; } - /* read message */ - msg = malloc(len); + /* read message (we need an additional byte to terminate the buffer) */ + msg = malloc(len + 1); msg->length = len; if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len))) { @@ -635,6 +635,9 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream) free(msg); return FALSE; } + /* make sure even incorrectly unterminated strings don't extend over the + * message boundaries */ + ((char*)msg)[len] = '\0'; DBG3(DBG_CFG, "stroke message %b", (void*)msg, len); |