Fix potential buffer overflow in value_data_prints

author Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Thu, 30 Jul 2015 16:11:51 +0000 (12:11 -0400)

committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Thu, 30 Jul 2015 16:21:30 +0000 (12:21 -0400)
author Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 30 Jul 2015 16:11:51 +0000 (12:11 -0400)
committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 30 Jul 2015 16:21:30 +0000 (12:21 -0400)
diff --git a/src/lib/value.c b/src/lib/value.c

index 545c9a8a809da1903745af4202d22eb2f025e45f..a30e21dec525463dbb965a33cb353ff7bd38ea2d 100644 (file)
--- a/src/lib/value.c
+++ b/src/lib/value.c
@@ -1576,6 +1576,7 @@ size_t value_data_prints(char *out, size_t outlen,
         DICT_VALUE      *v;
         char            buf[1024];      /* Interim buffer to use with poorly behaved printing functions */
         char const      *a = NULL;
+       char            *p = out;
         time_t          t;
         struct tm       s_tm;
         unsigned int    i;
@@ -1587,6 +1588,8 @@ size_t value_data_prints(char *out, size_t outlen,
  
         *out = '\0';
  
+       p = out;
+
         switch (type) {
         case PW_TYPE_STRING:
  
@@ -1596,22 +1599,23 @@ size_t value_data_prints(char *out, size_t outlen,
                 if (quote) {
                         if (freespace < 3) return inlen + 2;
  
-                       *out++ = quote;
+                       *p++ = quote;
                         freespace--;
  
-                       len = fr_prints(out, freespace, data->strvalue, inlen, quote);
+                       len = fr_prints(p, freespace, data->strvalue, inlen, quote);
                         /* always terminate the quoted string with another quote */
                         if (len >= (freespace - 1)) {
+                               /* Use out not p as we're operating on the entire buffer */
                                 out[outlen - 2] = (char) quote;
                                 out[outlen - 1] = '\0';
                                 return len + 2;
                         }
-                       out += len;
+                       p += len;
                         freespace -= len;
  
-                       *out++ = (char) quote;
+                       *p++ = (char) quote;
                         freespace--;
-                       *out = '\0';
+                       *p = '\0';
  
                         return len + 2;
                 }
@@ -1729,7 +1733,7 @@ print_int:
  
                 a = inet_ntop(AF_INET6, &addr, buf, sizeof(buf));
                 if (a) {
-                       char *p = buf;
+                       p = buf;
  
                         len = strlen(buf);
                         p += len;
@@ -1749,7 +1753,7 @@ print_int:
  
                 a = inet_ntop(AF_INET, &addr, buf, sizeof(buf));
                 if (a) {
-                       char *p = buf;
+                       p = buf;
  
                         len = strlen(buf);
                         p += len;
author	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Thu, 30 Jul 2015 16:11:51 +0000 (12:11 -0400)
committer	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Thu, 30 Jul 2015 16:21:30 +0000 (12:21 -0400)