From 4b6a67cf7c32bb816268c069380d64af745381f0 Mon Sep 17 00:00:00 2001
From: Alexander Wenzel <Alexander.AW.Wenzel@bmw.de>
Date: Thu, 25 Jul 2013 17:02:42 +0200
Subject: Fixed security issue in dlt-system-shell regarding strncpy.

Signed-off-by: Alexander Wenzel <Alexander.AW.Wenzel@bmw.de>
---
 src/system/dlt-system-shell.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'src/system')

diff --git a/src/system/dlt-system-shell.c b/src/system/dlt-system-shell.c
index 61b4b50..5a35593 100644
--- a/src/system/dlt-system-shell.c
+++ b/src/system/dlt-system-shell.c
@@ -55,18 +55,31 @@
 #include <string.h>
 #include <stdlib.h>
 
+#define DLT_SHELL_COMMAND_MAX_LENGTH 1024
+
 DLT_IMPORT_CONTEXT(dltsystem)
 DLT_DECLARE_CONTEXT(shellContext)
 
 int dlt_shell_injection_callback(uint32_t service_id, void *data, uint32_t length)
 {
+	(void) length;
+	
 	DLT_LOG(shellContext,DLT_LOG_DEBUG,
 			DLT_STRING("dlt-system-shell, injection callback"));
-	char text[1024];
+	char text[DLT_SHELL_COMMAND_MAX_LENGTH];
     int syserr = 0;
 
-	strncpy(text,data,length);
-
+	if(length<DLT_SHELL_COMMAND_MAX_LENGTH-2)
+	{
+		strncpy(text,data,length);
+		text[length] = 0;			
+	}
+	else
+	{
+		strncpy(text,data,DLT_SHELL_COMMAND_MAX_LENGTH-2);
+		text[DLT_SHELL_COMMAND_MAX_LENGTH-1] = 0;	
+	}
+	
 	DLT_LOG(shellContext,DLT_LOG_DEBUG,
 			DLT_STRING("dlt-system-shell, injection injection id:"),
 			DLT_UINT32(service_id));
-- 
cgit v1.2.1