diff options
author | Robert Bartel <r.bartel@gmx.net> | 2023-03-10 18:31:52 +0000 |
---|---|---|
committer | Paul Mackerras <paulus@ozlabs.org> | 2023-03-17 20:03:10 +1100 |
commit | 6292210a9d14c0d947a5c3fb10f0d289815cd24f (patch) | |
tree | 9361566232ce3692dd888b597a5bc6dbdf0a02e6 | |
parent | a20059a09c56555f6c2006a7193de4c1676b477a (diff) | |
download | ppp-6292210a9d14c0d947a5c3fb10f0d289815cd24f.tar.gz |
Fixing buffer overflow issue in chat.c
There were two issues here, the report_buffer is too small to hold the
value, and accessing the memory outside its bounds. The following fixes
was made:
- Expand the size of report_buffer to 4096 from 256, this is to account
for handling of really long GSM USSD report strings
- Make sure to not to access memory outside the bounds of the buffer
Signed-off-by: Robert Bartel <r.bartel@gmx.net>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-rw-r--r-- | chat/chat.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/chat/chat.c b/chat/chat.c index 0740229..a5bfb9f 100644 --- a/chat/chat.c +++ b/chat/chat.c @@ -182,7 +182,7 @@ int n_aborts = 0, abort_next = 0, timeout_next = 0, echo_next = 0; int clear_abort_next = 0; char *report_string[MAX_REPORTS] ; -char report_buffer[256] ; +char report_buffer[4096] ; int n_reports = 0, report_next = 0, report_gathering = 0 ; int clear_report_next = 0; @@ -1419,8 +1419,10 @@ int get_string(register char *string) else { if (!iscntrl (c)) { int rep_len = strlen (report_buffer); - report_buffer[rep_len] = c; - report_buffer[rep_len + 1] = '\0'; + if ((rep_len + 1) < sizeof(report_buffer)) { + report_buffer[rep_len] = c; + report_buffer[rep_len + 1] = '\0'; + } } else { report_gathering = 0; |