projects / platform / core / api / system-info.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c9cafe0)
Use memcpy to prevent buffer over-reading by snprintf 80/141880/3
authorKichan Kwon <k_c.kwon@samsung.com>
Wed, 2 Aug 2017 01:15:09 +0000 (10:15 +0900)
committerKichan Kwon <k_c.kwon@samsung.com>
Wed, 2 Aug 2017 09:24:40 +0000 (18:24 +0900)
- snprintf calculates return value by checking the length of format string
- Therefore, if format string is non-terminated, snprintf can over-read
- To prevent, use memcpy and write null character

Change-Id: I9ba837d8e22313be6e34ba39e4ccaf7743166d89
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>
src/system_info.c patch | blob | history

diff --git a/src/system_info.c b/src/system_info.c
index 4fbc050855035be0e42881ddc5b4ef05d56cedd8..a4490636c665ff4a1f374b2d4ec7027ab6baaceb 100644 (file)
--- a/src/system_info.c
+++ b/src/system_info.c
@@ -139,7 +139,13 @@ static int db_get_value(enum tag_type tag, const char *key,
                goto out;
        }
 
-       snprintf(value, len, "%s", d_data.dptr);
+       if (len <= d_data.dsize) {
+               _E("Buffer size is smaller than DB value size. It can be cut");
+               d_data.dsize = len - 1;
+       }
+
+       memcpy(value, d_data.dptr, d_data.dsize);
+       value[d_data.dsize] = '\0';
        free(d_data.dptr);
        ret = SYSTEM_INFO_ERROR_NONE;
 
@@ -255,7 +261,7 @@ out:
 static int system_info_get_bool(enum tag_type tag, const char *key, bool *value)
 {
        int ret;
-       char val[8];
+       char val[16];
        char *valp;
        size_t len;
        const char *runtime_type;
Domain: System / System Framework;