From 43fda34be9c4c8311d9c7d6bdc2c23b04f155264 Mon Sep 17 00:00:00 2001 From: Kevin-Luong <39298548+Kevin-Luong@users.noreply.github.com> Date: Fri, 29 Jan 2021 08:31:38 +0700 Subject: fscanf() uses dynamic formatting to prevent buffer overflow (#288) CVE: CVE-2020-29394 Signed-off-by: KHANH LUONG HONG DUY Co-authored-by: KHANH LUONG HONG DUY --- src/shared/dlt_common.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c index f8aa746..5c28113 100644 --- a/src/shared/dlt_common.c +++ b/src/shared/dlt_common.c @@ -390,6 +390,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb FILE *handle; char str1[DLT_COMMON_BUFFER_LENGTH]; char apid[DLT_ID_SIZE], ctid[DLT_ID_SIZE]; + char format[10]; PRINT_FUNCTION_VERBOSE(verbose); @@ -400,13 +401,15 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb return DLT_RETURN_ERROR; } + sprintf(format, "%c%ds", '%', DLT_COMMON_BUFFER_LENGTH-1); + /* Reset filters */ filter->counter = 0; while (!feof(handle)) { str1[0] = 0; - if (fscanf(handle, "%254s", str1) != 1) + if (fscanf(handle, format, str1) != 1) break; if (str1[0] == 0) @@ -421,7 +424,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb str1[0] = 0; - if (fscanf(handle, "%254s", str1) != 1) + if (fscanf(handle, format, str1) != 1) break; if (str1[0] == 0) -- cgit v1.2.1