From: Jeremy Sowden <jeremy@azazel.net>
Date: Tue, 30 Nov 2021 10:55:41 +0000 (+0000)
Subject: output: DBI: fix NUL-termination of escaped SQL string
X-Git-Tag: ulogd-2.0.8~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d429162387ce4fe12e7e35d911680cb1c37f2cd2;p=thirdparty%2Fulogd2.git

output: DBI: fix NUL-termination of escaped SQL string

On error, `dbi_conn_quote_string_copy` returns zero.  In this case, we
need to set `*dst` to NUL.  Handle a return-value of `2` as normal
below.  `1` is never returned.

Replace `strncpy` with `memcpy`: using `strncpy` is nearly always a
mistake, and we don't need its special behaviour here.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/output/dbi/ulogd_output_DBI.c b/output/dbi/ulogd_output_DBI.c
index fff9abc..57e3058 100644
--- a/output/dbi/ulogd_output_DBI.c
+++ b/output/dbi/ulogd_output_DBI.c
@@ -236,18 +236,20 @@ static int escape_string_dbi(struct ulogd_pluginstance *upi,
 	}
 
 	ret = dbi_conn_quote_string_copy(pi->dbh, src, &newstr);
-	if (ret <= 2)
+	if (ret == 0) {
+		*dst = '\0';
 		return 0;
+	}
 
 	/* dbi_conn_quote_string_copy returns a quoted string,
 	 * but __interp_db already quotes the string
 	 * So we return a string without the quotes
 	 */
-	strncpy(dst,newstr+1,ret-2);
-	dst[ret-2] = '\0';
+	memcpy(dst, newstr + 1, ret - 2);
+	dst[ret - 2] = '\0';
 	free(newstr);
 
-	return (ret-2);
+	return ret - 2;
 }
 
 static int execute_dbi(struct ulogd_pluginstance *upi,