* [PATCH obexd] Fix writing out of bounds in add_slash func
@ 2011-07-21 7:22 Radoslaw Jablonski
2011-07-26 11:25 ` Johan Hedberg
0 siblings, 1 reply; 2+ messages in thread
From: Radoslaw Jablonski @ 2011-07-21 7:22 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Radoslaw Jablonski
diff --git a/plugins/vcard.c b/plugins/vcard.c
index b997fc4..a6eb5f5 100644
--- a/plugins/vcard.c
+++ b/plugins/vcard.c
@@ -101,27 +101,41 @@ static void add_slash(char *dest, const char *src, int len_max, int len)
{
int i, j;
- for (i = 0, j = 0; i < len && j < len_max; i++, j++) {
+ for (i = 0, j = 0; i < len && j < len_max - 1; i++, j++) {
+ /* filling dest buffer - last field need to be reserved
+ * for '\0'*/
switch (src[i]) {
case '\n':
+ if (j == len_max - 2)
+ /* not enough space in the buffer to put char
+ * preceded with escaping sequence */
+ goto done;
+
dest[j++] = '\\';
dest[j] = 'n';
break;
case '\r':
+ if (j == len_max - 2)
+ goto done;
+
dest[j++] = '\\';
dest[j] = 'r';
break;
case '\\':
case ';':
case ',':
+ if (j == len_max - 2)
+ goto done;
+
dest[j++] = '\\';
default:
dest[j] = src[i];
break;
}
}
+
+done:
dest[j] = 0;
- return;
}
static void get_escaped_fields(char **fields, ...)
--
1.7.0.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH obexd] Fix writing out of bounds in add_slash func
2011-07-21 7:22 [PATCH obexd] Fix writing out of bounds in add_slash func Radoslaw Jablonski
@ 2011-07-26 11:25 ` Johan Hedberg
0 siblings, 0 replies; 2+ messages in thread
From: Johan Hedberg @ 2011-07-26 11:25 UTC (permalink / raw)
To: Radoslaw Jablonski; +Cc: linux-bluetooth
Hi Radek,
On Thu, Jul 21, 2011, Radoslaw Jablonski wrote:
> diff --git a/plugins/vcard.c b/plugins/vcard.c
> index b997fc4..a6eb5f5 100644
> --- a/plugins/vcard.c
> +++ b/plugins/vcard.c
> @@ -101,27 +101,41 @@ static void add_slash(char *dest, const char *src, int len_max, int len)
> {
> int i, j;
>
> - for (i = 0, j = 0; i < len && j < len_max; i++, j++) {
> + for (i = 0, j = 0; i < len && j < len_max - 1; i++, j++) {
> + /* filling dest buffer - last field need to be reserved
> + * for '\0'*/
> switch (src[i]) {
> case '\n':
> + if (j == len_max - 2)
> + /* not enough space in the buffer to put char
> + * preceded with escaping sequence */
> + goto done;
I think it'd be more robust and clear that you're testing for an upper
limit to have a > or >= comparison here and in the other places, e.g.
if (j + 2 >= len_max)
> +done:
> dest[j] = 0;
> - return;
> }
The return statement removal is a code cleanup which should be in its
own patch.
Johan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-07-26 11:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-21 7:22 [PATCH obexd] Fix writing out of bounds in add_slash func Radoslaw Jablonski
2011-07-26 11:25 ` Johan Hedberg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.