Prevent buffer overflow on reading value

Change-Id: I4a6d5abce72c4f2165a0d190068ef75157cf4c35
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>

diff --git a/src/init_db/system_info_db_init.c b/src/init_db/system_info_db_init.c
index 0de713232153a18fa5d6dfede64591bfd4c1df6a..8a179a14197ae5e8f497565d5021a65f4bfa2f8d 100644 (file)
--- a/src/init_db/system_info_db_init.c
+++ b/src/init_db/system_info_db_init.c
@@ -175,6 +175,7 @@ static int db_get_value(const char *db_path, char *tag, char *name, char *type,
        char key_internal[KEY_MAX];
        size_t key_internal_len;
        char buf[PATH_MAX];
+       size_t value_internal_len;
        char *ptr;
        FILE *fp = NULL;
 
@@ -196,7 +197,9 @@ static int db_get_value(const char *db_path, char *tag, char *name, char *type,
        key_internal_len = strlen(key_internal);
        while ((ptr = fgets(buf, sizeof(buf), fp))) {
                if (!strncmp(buf, key_internal, key_internal_len) && buf[key_internal_len] == ' ') {
-                       sscanf(buf, "%*s %[^\n]s", value);
+                       value_internal_len = strcspn(buf + key_internal_len + 1, "\n") + 1;
+                       snprintf(value, val_len < value_internal_len ? val_len : value_internal_len,
+                                       "%s", buf + key_internal_len + 1);
                        break;
                }
        }
@@ -217,7 +220,7 @@ static int db_set_value_specific_runtime(const char *db_path, char *tag, char *n
        char value_intg[LANG_MAX + 1] = {0};
        int ret;
 
-       ret = db_get_value(db_path, tag, name, type, value_intg, LANG_MAX);
+       ret = db_get_value(db_path, tag, name, type, value_intg, LANG_MAX + 1);
        if (ret != 0)
                return ret;
 

diff --git a/src/system_info.c b/src/system_info.c
index 5181ec6e07d00d85e26a044ce6ff70b8ab4ab7df..78b3a504cd37072dcc8ae31684d070f324fdf5ae 100644 (file)
--- a/src/system_info.c
+++ b/src/system_info.c
@@ -80,6 +80,7 @@ static int db_get_value(enum tag_type tag, const char *key,
        char key_internal[KEY_MAX];
        size_t key_internal_len;
        char buf[PATH_MAX];     // buffer size should be larger than KEY_MAX
+       size_t value_internal_len;
        FILE *fp = NULL;
        int ret;
        char *tag_s;
@@ -134,7 +135,9 @@ static int db_get_value(enum tag_type tag, const char *key,
        key_internal_len = strlen(key_internal);
        while ((temp = fgets(buf, sizeof(buf), fp))) {
                if (!strncmp(buf, key_internal, key_internal_len) && buf[key_internal_len] == ' ') {
-                       sscanf(buf, "%*s %[^\n]s", value);
+                       value_internal_len = strcspn(buf + key_internal_len + 1, "\n") + 1;
+                       snprintf(value, len < value_internal_len ? len : value_internal_len,
+                                       "%s", buf + key_internal_len + 1);
                        break;
                }
        }