From: Kichan Kwon <k_c.kwon@samsung.com>
Date: Mon, 22 Jun 2020 03:30:38 +0000 (+0900)
Subject: Prevent buffer overflow on reading value
X-Git-Tag: submit/tizen_4.0/20200622.054729^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_4.0;p=platform%2Fcore%2Fapi%2Fsystem-info.git

Prevent buffer overflow on reading value

Change-Id: I4a6d5abce72c4f2165a0d190068ef75157cf4c35
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>
---

diff --git a/src/init_db/system_info_db_init.c b/src/init_db/system_info_db_init.c
index 7e62ac2..b4efa8a 100644
--- a/src/init_db/system_info_db_init.c
+++ b/src/init_db/system_info_db_init.c
@@ -175,6 +175,7 @@ static int db_get_value(const char *db_path, char *tag, char *name, char *type,
 	char key_internal[KEY_MAX];
 	size_t key_internal_len;
 	char buf[PATH_MAX];
+	size_t value_internal_len;
 	char *ptr;
 	FILE *fp = NULL;
 
@@ -196,7 +197,9 @@ static int db_get_value(const char *db_path, char *tag, char *name, char *type,
 	key_internal_len = strlen(key_internal);
 	while ((ptr = fgets(buf, sizeof(buf), fp))) {
 		if (!strncmp(buf, key_internal, key_internal_len) && buf[key_internal_len] == ' ') {
-			sscanf(buf, "%*s %[^\n]s", value);
+			value_internal_len = strcspn(buf + key_internal_len + 1, "\n") + 1;
+			snprintf(value, val_len < value_internal_len ? val_len : value_internal_len,
+					"%s", buf + key_internal_len + 1);
 			break;
 		}
 	}
@@ -217,7 +220,7 @@ static int db_set_value_specific_runtime(const char *db_path, char *tag, char *n
 	char value_intg[LANG_MAX + 1] = {0};
 	int ret;
 
-	ret = db_get_value(db_path, tag, name, type, value_intg, LANG_MAX);
+	ret = db_get_value(db_path, tag, name, type, value_intg, LANG_MAX + 1);
 	if (ret != 0)
 		return ret;
 
diff --git a/src/system_info.c b/src/system_info.c
index 4522e09..4a95b72 100644
--- a/src/system_info.c
+++ b/src/system_info.c
@@ -78,6 +78,7 @@ static int db_get_value(enum tag_type tag, const char *key,
 	char key_internal[KEY_MAX];
 	size_t key_internal_len;
 	char buf[PATH_MAX];	// buffer size should be larger than KEY_MAX
+	size_t value_internal_len;
 	FILE *fp = NULL;
 	int ret;
 	char *tag_s;
@@ -132,7 +133,9 @@ static int db_get_value(enum tag_type tag, const char *key,
 	key_internal_len = strlen(key_internal);
 	while ((temp = fgets(buf, sizeof(buf), fp))) {
 		if (!strncmp(buf, key_internal, key_internal_len) && buf[key_internal_len] == ' ') {
-			sscanf(buf, "%*s %[^\n]s", value);
+			value_internal_len = strcspn(buf + key_internal_len + 1, "\n") + 1;
+			snprintf(value, len < value_internal_len ? len : value_internal_len,
+					"%s", buf + key_internal_len + 1);
 			break;
 		}
 	}