From 52fce19fabf2e529c9bd332bcf8c5a4b56e42725 Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Sat, 23 Apr 2005 22:34:48 +0000 Subject: * dbus/dbus-marshal-recursive-util.c: Fixed buffer overflow in numerous places that did not account for the NULL terminator (signature_from_seed): changed the manual string copy loop to just use strcpy instead make check should now pass --- ChangeLog | 8 ++++++++ dbus/dbus-marshal-recursive-util.c | 30 ++++++++++++------------------ 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7802a2e9..56301ee7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2005-04-23 John (J5) Palmieri + + * dbus/dbus-marshal-recursive-util.c: Fixed buffer overflow + in numerous places that did not account for the NULL terminator + (signature_from_seed): changed the manual string copy loop to + just use strcpy instead + make check should now pass + 2005-04-19 John (J5) Palmieri * dbus/dbus-marshal-header.c (_dbus_header_create): Fix assert diff --git a/dbus/dbus-marshal-recursive-util.c b/dbus/dbus-marshal-recursive-util.c index 0d06bc2f..2a2c57d9 100644 --- a/dbus/dbus-marshal-recursive-util.c +++ b/dbus/dbus-marshal-recursive-util.c @@ -2458,9 +2458,10 @@ string_write_value (TestTypeNode *node, DBusTypeWriter *writer, int seed) { - char buf[MAX_SAMPLE_STRING_LEN]; + char buf[MAX_SAMPLE_STRING_LEN + 1]=""; const char *v_string = buf; + string_from_seed (buf, node->klass->subclass_detail, seed); @@ -2475,7 +2476,8 @@ string_read_value (TestTypeNode *node, int seed) { const char *v; - char buf[MAX_SAMPLE_STRING_LEN]; + char buf[MAX_SAMPLE_STRING_LEN + 1]; + v = buf; check_expected_type (reader, node->klass->typecode); @@ -2501,7 +2503,7 @@ string_set_value (TestTypeNode *node, DBusTypeReader *realign_root, int seed) { - char buf[MAX_SAMPLE_STRING_LEN]; + char buf[MAX_SAMPLE_STRING_LEN + 1]; const char *v_string = buf; string_from_seed (buf, node->klass->subclass_detail, @@ -2730,7 +2732,7 @@ object_path_write_value (TestTypeNode *node, DBusTypeWriter *writer, int seed) { - char buf[MAX_SAMPLE_OBJECT_PATH_LEN]; + char buf[MAX_SAMPLE_OBJECT_PATH_LEN + 1]; const char *v_string = buf; object_path_from_seed (buf, seed); @@ -2746,7 +2748,7 @@ object_path_read_value (TestTypeNode *node, int seed) { const char *v; - char buf[MAX_SAMPLE_OBJECT_PATH_LEN]; + char buf[MAX_SAMPLE_OBJECT_PATH_LEN + 1]; check_expected_type (reader, node->klass->typecode); @@ -2771,7 +2773,7 @@ object_path_set_value (TestTypeNode *node, DBusTypeReader *realign_root, int seed) { - char buf[MAX_SAMPLE_OBJECT_PATH_LEN]; + char buf[MAX_SAMPLE_OBJECT_PATH_LEN + 1]; const char *v_string = buf; object_path_from_seed (buf, seed); @@ -2786,8 +2788,6 @@ static void signature_from_seed (char *buf, int seed) { - int i; - const char *s; /* try to avoid ascending, descending, or alternating length to help find bugs */ const char *sample_signatures[] = { "asax" @@ -2798,13 +2798,7 @@ signature_from_seed (char *buf, "a(ii)" }; - s = sample_signatures[seed % _DBUS_N_ELEMENTS(sample_signatures)]; - - for (i = 0; s[i]; i++) - { - buf[i] = s[i]; - } - buf[i] = '\0'; + strcpy (buf, sample_signatures[seed % _DBUS_N_ELEMENTS(sample_signatures)]); } static dbus_bool_t @@ -2813,7 +2807,7 @@ signature_write_value (TestTypeNode *node, DBusTypeWriter *writer, int seed) { - char buf[MAX_SAMPLE_SIGNATURE_LEN]; + char buf[MAX_SAMPLE_SIGNATURE_LEN + 1]; const char *v_string = buf; signature_from_seed (buf, seed); @@ -2829,7 +2823,7 @@ signature_read_value (TestTypeNode *node, int seed) { const char *v; - char buf[MAX_SAMPLE_SIGNATURE_LEN]; + char buf[MAX_SAMPLE_SIGNATURE_LEN + 1]; check_expected_type (reader, node->klass->typecode); @@ -2855,7 +2849,7 @@ signature_set_value (TestTypeNode *node, DBusTypeReader *realign_root, int seed) { - char buf[MAX_SAMPLE_SIGNATURE_LEN]; + char buf[MAX_SAMPLE_SIGNATURE_LEN + 1]; const char *v_string = buf; signature_from_seed (buf, seed); -- cgit