Fix buffer overflow in dial_server.c (b/16673295)
Change-Id: Icc92bfdb7b98028035949c4243cedfb0f40d005e
diff --git a/src/server/dial_server.c b/src/server/dial_server.c
index 43413b4..ca3ee5e 100644
--- a/src/server/dial_server.c
+++ b/src/server/dial_server.c
@@ -118,7 +118,7 @@
const char *app_name,
const char *origin_header) {
char additional_data_param[256] = {0, };
- char body[DIAL_MAX_PAYLOAD + sizeof(additional_data_param) + 2] = {0, };
+ char body[DIAL_MAX_PAYLOAD] = {0, };
DIALApp *app;
DIALServer *ds = request_info->user_data;
int body_size;
@@ -143,15 +143,17 @@
in_port_t dial_port = DIAL_get_port(ds);
if (app->useAdditionalData) {
- if (body_size != 0) {
- strcat(body, "&");
- }
// Construct additionalDataUrl=http://host:port/apps/app_name/dial_data
- sprintf(additional_data_param,
- "additionalDataUrl=http%%3A%%2F%%2Flocalhost%%3A%d%%2Fapps%%2F%s%%2Fdial_data%%3F",
+ snprintf(additional_data_param, sizeof(additional_data_param),
+ "%sadditionalDataUrl=http%%3A%%2F%%2Flocalhost%%3A%d%%2Fapps%%2F%s%%2Fdial_data%%3F",
+ (body_size != 0) ? "&" : "",
dial_port, app_name);
- strcat(body, additional_data_param);
- body_size = strlen(body);
+ if ((body_size + strlen(additional_data_param)) < DIAL_MAX_PAYLOAD) {
+ strcat(body, additional_data_param);
+ body_size = strlen(body);
+ } else {
+ fprintf(stderr, "payload too small for additional data\n");
+ }
}
fprintf(stderr, "Starting the app with params %s\n", body);
app->state = app->callbacks.start_cb(ds, app_name, body, body_size,
@@ -168,7 +170,11 @@
laddr, dial_port, app_name, origin_header);
// copy the payload into the application struct
memset(app->payload, 0, DIAL_MAX_PAYLOAD);
- memcpy(app->payload, body, body_size);
+ if (body_size<=DIAL_MAX_PAYLOAD) {
+ memcpy(app->payload, body, body_size);
+ } else {
+ fprintf(stderr, "payload too small for body of %d bytes\n", body_size);
+ }
} else {
mg_send_http_error(conn, 503, "Service Unavailable",
"Service Unavailable");
