From 5dee3de4df5d8b5acbbbf106ac628db557759286 Mon Sep 17 00:00:00 2001
From: "shingil.kang" <shingil.kang@samsung.com>
Date: Wed, 6 Jan 2016 19:26:30 +0900
Subject: [PATCH] prevent buffer overflow when reading struct array

Change-Id: Id472948779e6ad2971b263c285fd6c9bfda1e230
Signed-off-by: shingil.kang <shingil.kang@samsung.com>
---
 src/properties.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/properties.c b/src/properties.c
index 13e45cf..7594100 100644
--- a/src/properties.c
+++ b/src/properties.c
@@ -50,6 +50,7 @@ struct config_node {
     { "service.sdb.tcp.port", "0" },
     { NULL, "" }
 };
+int sdbd_config_element_cnt = sizeof(sdbd_config) / sizeof(sdbd_config[0]);
 
 void property_save();
 
@@ -67,8 +68,7 @@ static void property_init(void)
         if(read_line(fd, buffer, PROPERTY_KEY_MAX+PROPERTY_VALUE_MAX+1) < 0)
             break;
         tok = strtok(buffer, PROPERTY_SEPARATOR);
-        int array_element_cnt = sizeof(sdbd_config) / sizeof(sdbd_config[0]);
-        for (i = 0; i < array_element_cnt && sdbd_config[i].key ; i++) {
+        for (i = 0; i < sdbd_config_element_cnt && sdbd_config[i].key ; i++) {
             if (!strcmp(tok, sdbd_config[i].key)) {
                 tok = strtok(NULL, PROPERTY_SEPARATOR);
                 strncpy(sdbd_config[i].value, tok, PROPERTY_VALUE_MAX);
@@ -97,7 +97,7 @@ void property_save()
         return;
     }
 
-    for (i = 0; sdbd_config[i].key; i++) {
+    for (i = 0; i < sdbd_config_element_cnt && sdbd_config[i].key; i++) {
         snprintf(buffer, sizeof(buffer), "%s%s%s\n", sdbd_config[i].key, PROPERTY_SEPARATOR, sdbd_config[i].value);
         sdb_write(fd, buffer, strlen(buffer));
     }
@@ -110,7 +110,8 @@ int property_set(const char *key, const char *value)
     int i = 0;
 
     mutex_lock(&env_lock);
-    for (i = 0; sdbd_config[i].key; i++) {
+
+    for (i = 0; i < sdbd_config_element_cnt && sdbd_config[i].key; i++) {
         if (!strcmp(key,sdbd_config[i].key)) {
             strncpy(sdbd_config[i].value, value, PROPERTY_VALUE_MAX);
             D("property set key=%s, value=%s\n", key, value);
@@ -129,7 +130,8 @@ int property_get(const char *key, char *value, const char *default_value)
 
     property_init();
     mutex_lock(&env_lock);
-    for (i = 0; sdbd_config[i].key; i++) {
+
+    for (i = 0; i < sdbd_config_element_cnt && sdbd_config[i].key; i++) {
         if (!strcmp(key,sdbd_config[i].key)) {
             len = strlen(sdbd_config[i].value);
             memcpy(value, sdbd_config[i].value, len + 1);
-- 
2.7.4