All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH obexd] Fix writing out of bounds in add_slash func
@ 2011-07-21  7:22 Radoslaw Jablonski
  2011-07-26 11:25 ` Johan Hedberg
  0 siblings, 1 reply; 2+ messages in thread
From: Radoslaw Jablonski @ 2011-07-21  7:22 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Radoslaw Jablonski

diff --git a/plugins/vcard.c b/plugins/vcard.c
index b997fc4..a6eb5f5 100644
--- a/plugins/vcard.c
+++ b/plugins/vcard.c
@@ -101,27 +101,41 @@ static void add_slash(char *dest, const char *src, int len_max, int len)
 {
 	int i, j;
 
-	for (i = 0, j = 0; i < len && j < len_max; i++, j++) {
+	for (i = 0, j = 0; i < len && j < len_max - 1; i++, j++) {
+		/* filling dest buffer - last field need to be reserved
+		 * for '\0'*/
 		switch (src[i]) {
 		case '\n':
+			if (j == len_max - 2)
+				/* not enough space in the buffer to put char
+				 * preceded with escaping sequence */
+				goto done;
+
 			dest[j++] = '\\';
 			dest[j] = 'n';
 			break;
 		case '\r':
+			if (j == len_max - 2)
+				goto done;
+
 			dest[j++] = '\\';
 			dest[j] = 'r';
 			break;
 		case '\\':
 		case ';':
 		case ',':
+			if (j == len_max - 2)
+				goto done;
+
 			dest[j++] = '\\';
 		default:
 			dest[j] = src[i];
 			break;
 		}
 	}
+
+done:
 	dest[j] = 0;
-	return;
 }
 
 static void get_escaped_fields(char **fields, ...)
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH obexd] Fix writing out of bounds in add_slash func
  2011-07-21  7:22 [PATCH obexd] Fix writing out of bounds in add_slash func Radoslaw Jablonski
@ 2011-07-26 11:25 ` Johan Hedberg
  0 siblings, 0 replies; 2+ messages in thread
From: Johan Hedberg @ 2011-07-26 11:25 UTC (permalink / raw)
  To: Radoslaw Jablonski; +Cc: linux-bluetooth

Hi Radek,

On Thu, Jul 21, 2011, Radoslaw Jablonski wrote:
> diff --git a/plugins/vcard.c b/plugins/vcard.c
> index b997fc4..a6eb5f5 100644
> --- a/plugins/vcard.c
> +++ b/plugins/vcard.c
> @@ -101,27 +101,41 @@ static void add_slash(char *dest, const char *src, int len_max, int len)
>  {
>  	int i, j;
>  
> -	for (i = 0, j = 0; i < len && j < len_max; i++, j++) {
> +	for (i = 0, j = 0; i < len && j < len_max - 1; i++, j++) {
> +		/* filling dest buffer - last field need to be reserved
> +		 * for '\0'*/
>  		switch (src[i]) {
>  		case '\n':
> +			if (j == len_max - 2)
> +				/* not enough space in the buffer to put char
> +				 * preceded with escaping sequence */
> +				goto done;

I think it'd be more robust and clear that you're testing for an upper
limit to have a > or >= comparison here and in the other places, e.g.
if (j + 2 >= len_max)

> +done:
>  	dest[j] = 0;
> -	return;
>  }

The return statement removal is a code cleanup which should be in its
own patch.

Johan

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-07-26 11:25 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-21  7:22 [PATCH obexd] Fix writing out of bounds in add_slash func Radoslaw Jablonski
2011-07-26 11:25 ` Johan Hedberg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.