BMP: Fix off-by-one buffer overflow

Config validation checks string length, buffers for system
name/description should have one more byte for null termination.

Thanks to lzx0xf1 for the bugreport.

diff --git a/proto/bmp/bmp.h b/proto/bmp/bmp.h
index 52f7212252afd988765a565f206f09bc61c02a52..b1bc3866084cd04a71dfab02219a0b2209558474 100644 (file)
--- a/proto/bmp/bmp.h
+++ b/proto/bmp/bmp.h
@@ -68,8 +68,8 @@ struct bmp_proto {
   sock *sk;                        // TCP connection
   event *tx_ev;                    // TX event
   event *update_ev;                // Update event
-  char sys_descr[MIB_II_STR_LEN];  // sysDescr MIB-II [RFC1213] object
-  char sys_name[MIB_II_STR_LEN];   // sysName MIB-II [RFC1213] object
+  char sys_descr[MIB_II_STR_LEN+1];// sysDescr MIB-II [RFC1213] object
+  char sys_name[MIB_II_STR_LEN+1]; // sysName MIB-II [RFC1213] object
   ip_addr local_addr;              // Source local IP address
   ip_addr station_ip;              // Monitoring station IP address
   u16 station_port;                // Monitoring station TCP port

diff --git a/proto/bmp/config.Y b/proto/bmp/config.Y
index 782947150b04d3d74f0c9b692c89c4d594cbec71..ed675aafb8dfa08c9edd0fcffde2cd71f21b8b13 100644 (file)
--- a/proto/bmp/config.Y
+++ b/proto/bmp/config.Y
@@ -55,14 +55,14 @@ bmp_proto:
  | bmp_proto SYSTEM DESCRIPTION text ';' {
      if (!$4 || (strlen($4) == 0))
        cf_error("String is empty");
-     else if (strlen($4) > 255)
+     else if (strlen($4) > MIB_II_STR_LEN)
        cf_error("Invalid string length");
      BMP_CFG->sys_descr = $4;
    }
  | bmp_proto SYSTEM NAME text ';' {
      if (!$4 || (strlen($4) == 0))
        cf_error("String is empty");
-     else if (strlen($4) > 255)
+     else if (strlen($4) > MIB_II_STR_LEN)
        cf_error("Invalid string length");
      BMP_CFG->sys_name = $4;
    }