Otherwise a malicious user could send an unterminated string to cause
unterminated reads.
return FALSE;
}
- /* read message */
- msg = malloc(len);
+ /* read message (we need an additional byte to terminate the buffer) */
+ msg = malloc(len + 1);
msg->length = len;
if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
{
free(msg);
return FALSE;
}
+ /* make sure even incorrectly unterminated strings don't extend over the
+ * message boundaries */
+ ((char*)msg)[len] = '\0';
DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);