From: Arran Cudbard-Bell Date: Thu, 30 Jul 2015 16:11:51 +0000 (-0400) Subject: Fix potential buffer overflow in value_data_prints X-Git-Tag: release_3_0_10~278 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42172099c57604ddfb8a48c4bd4b7390a13d3430;p=thirdparty%2Ffreeradius-server.git Fix potential buffer overflow in value_data_prints --- diff --git a/src/lib/value.c b/src/lib/value.c index 545c9a8a809..a30e21dec52 100644 --- a/src/lib/value.c +++ b/src/lib/value.c @@ -1576,6 +1576,7 @@ size_t value_data_prints(char *out, size_t outlen, DICT_VALUE *v; char buf[1024]; /* Interim buffer to use with poorly behaved printing functions */ char const *a = NULL; + char *p = out; time_t t; struct tm s_tm; unsigned int i; @@ -1587,6 +1588,8 @@ size_t value_data_prints(char *out, size_t outlen, *out = '\0'; + p = out; + switch (type) { case PW_TYPE_STRING: @@ -1596,22 +1599,23 @@ size_t value_data_prints(char *out, size_t outlen, if (quote) { if (freespace < 3) return inlen + 2; - *out++ = quote; + *p++ = quote; freespace--; - len = fr_prints(out, freespace, data->strvalue, inlen, quote); + len = fr_prints(p, freespace, data->strvalue, inlen, quote); /* always terminate the quoted string with another quote */ if (len >= (freespace - 1)) { + /* Use out not p as we're operating on the entire buffer */ out[outlen - 2] = (char) quote; out[outlen - 1] = '\0'; return len + 2; } - out += len; + p += len; freespace -= len; - *out++ = (char) quote; + *p++ = (char) quote; freespace--; - *out = '\0'; + *p = '\0'; return len + 2; } @@ -1729,7 +1733,7 @@ print_int: a = inet_ntop(AF_INET6, &addr, buf, sizeof(buf)); if (a) { - char *p = buf; + p = buf; len = strlen(buf); p += len; @@ -1749,7 +1753,7 @@ print_int: a = inet_ntop(AF_INET, &addr, buf, sizeof(buf)); if (a) { - char *p = buf; + p = buf; len = strlen(buf); p += len;