From 85835cc7d137dcca1de1a0105d1fea82060fb4c1 Mon Sep 17 00:00:00 2001
From: "shingil.kang" <shingil.kang@samsung.com>
Date: Wed, 22 Jun 2016 15:47:22 +0900
Subject: [PATCH] Fixed SVACE issues

- Used snprintf instead of strcpy/sprintf
- Used strncat instead of strcat
- fixed memory leak
- check null pointer

Change-Id: I500ae335053e33040d0103935701c75bfdb59cce
Signed-off-by: shingil.kang <shingil.kang@samsung.com>
---
 src/adb_auth_host.c    |  9 +++--
 src/auto_complete.c    |  9 ++++-
 src/command_function.c |  8 ++--
 src/sdb_client.c       | 92 +-----------------------------------------
 src/sdb_client.h       |  7 ----
 src/sockets.c          |  4 +-
 src/transport.c        |  2 +-
 src/transport_usb.c    |  2 +-
 src/usb_linux.c        |  2 +-
 src/utils_unix.c       |  2 +-
 10 files changed, 24 insertions(+), 113 deletions(-)

diff --git a/src/adb_auth_host.c b/src/adb_auth_host.c
index cda620f..630866c 100644
--- a/src/adb_auth_host.c
+++ b/src/adb_auth_host.c
@@ -119,13 +119,14 @@ static void get_user_info(char *buf, size_t len) {
 	ret = gethostname(hostname, sizeof(hostname));
 	if (ret < 0)
 #endif
-		strcpy(hostname, "unknown");
+    snprintf(hostname, sizeof(hostname), "%s", "unknown");
+
 
 #if !defined _WIN32 && !defined ADB_HOST_ON_TARGET
 	ret = getlogin_r(username, sizeof(username));
 	if (ret < 0)
 #endif
-		strcpy(username, "unknown");
+    snprintf(username, sizeof(username), "%s", "unknown");
 
 	ret = snprintf(buf, len, " %s@%s", username, hostname);
 	if (ret >= (signed) len)
@@ -339,7 +340,7 @@ static int get_user_key(struct listnode *list) {
 
 static void get_vendor_keys(struct listnode *list) {
 	const char *adb_keys_path;
-	char keys_path[MAX_PAYLOAD_V1];
+	char keys_path[MAX_PAYLOAD_V1] = {0, };
 	char *path;
 	char *save;
 	struct stat buf;
@@ -406,7 +407,7 @@ int adb_auth_get_userkey(unsigned char *data, size_t len) {
 		D("Error getting user key filename");
 		return 0;
 	}
-	strcat(path, ".pub");
+	strncat(path, ".pub", sizeof(path) - strlen(path) - 1);
 
 	file = load_file(path, (unsigned*) &ret);
 	if (!file) {
diff --git a/src/auto_complete.c b/src/auto_complete.c
index 6766155..986a26a 100644
--- a/src/auto_complete.c
+++ b/src/auto_complete.c
@@ -517,11 +517,16 @@ static void print_local_dirlist(char* src_dir, char** not_complete_char) {
     if(src_dir == NULL) {
         pwd_flag = 1;
         src_dir = strdup("./");
+        if(!src_dir)
+            return;
     }
 
     d = opendir(src_dir);
     if(d == 0) {
-        goto finalize;
+        if(pwd_flag) {
+            SAFE_FREE(src_dir);
+        }
+        return;
     }
     struct dirent* de;
     struct stat statbuf;
@@ -568,6 +573,8 @@ static void print_local_dirlist(char* src_dir, char** not_complete_char) {
     }
 
 finalize:
+    if(pwd_flag)
+        SAFE_FREE(src_dir);
     closedir(d);
 }
 
diff --git a/src/command_function.c b/src/command_function.c
index 9b38aeb..0f565f4 100644
--- a/src/command_function.c
+++ b/src/command_function.c
@@ -630,15 +630,15 @@ static int shell_connect_args(int argc, char ** argv)
     argc -= 2;
     argv += 2;
     while(argc-- > 0) {
-        strcat(shell_cmd, " ");
+        strncat(shell_cmd, " ", sizeof(shell_cmd) - strlen(shell_cmd) - 1);
 
         /* quote empty strings and strings with spaces */
         int quote = (**argv == 0 || strchr(*argv, ' '));
         if (quote)
-            strcat(shell_cmd, "\"");
-        strcat(shell_cmd, *argv++);
+            strncat(shell_cmd, "\"", sizeof(shell_cmd) - strlen(shell_cmd) - 1);
+        strncat(shell_cmd, *argv++, sizeof(shell_cmd) - strlen(shell_cmd) - 1);
         if (quote)
-            strcat(shell_cmd, "\"");
+            strncat(shell_cmd, "\"", sizeof(shell_cmd) - strlen(shell_cmd) - 1);
     }
 
     fd = sdb_connect(shell_cmd);
diff --git a/src/sdb_client.c b/src/sdb_client.c
index 8c1da5e..6da4f00 100644
--- a/src/sdb_client.c
+++ b/src/sdb_client.c
@@ -88,7 +88,7 @@ int send_service_with_length(int fd, const char* service, int host_fd) {
         D("error: write failure during connection\n");
         if(host_fd == 0) {
             char buf[10];
-            sprintf(buf, "%d", fd);
+            snprintf(buf, sizeof(buf), "%d", fd);
             print_error(SDB_MESSAGE_ERROR, F(ERR_SYNC_WRITE_FAIL, buf),NULL);
         }
         else {
@@ -162,96 +162,6 @@ int sdk_launch_exist() {
     return 0;
 }
 
-int sdb_higher_ver(int first, int middle, int last) {
-
-    const char* VERSION_QUERY = "shell:rpm -q sdbd";
-    D("query the sdbd version\n");
-    int fd = sdb_connect(VERSION_QUERY);
-
-    if(fd < 0) {
-        D("fail to query the sdbd version\n");
-        return fd;
-    }
-
-    char ver[PATH_MAX];
-    int max_len = PATH_MAX;
-    char* result_ptr = ver;
-    int len;
-
-    D("read sdb version\n");
-    while(fd >= 0) {
-        len = sdb_read(fd, result_ptr, max_len);
-        if(len == 0) {
-            break;
-        }
-
-        if(len < 0) {
-            if(errno == EINTR) {
-                continue;
-            }
-            break;
-        }
-        max_len -= len;
-        result_ptr += len;
-        fflush(stdout);
-    }
-
-    int version;
-    char* ver_num = NULL;
-
-    ver_num = strchr(ver, '-') + 1;
-
-    char* null = NULL;
-    null = strchr(ver_num, '-');
-
-    if(null == NULL) {
-        goto error;
-    }
-    *null = '\0';
-
-    D("sdbd version: %s\n", ver_num);
-
-    null = strchr(ver_num, '.');
-    if(null == NULL) {
-        goto error;
-    }
-
-    *null = '\0';
-    version = atoi(ver_num);
-    if(version > first) {
-        return 1;
-    }
-    if(version < first) {
-        return 0;
-    }
-    ver_num = ++null;
-
-    null = strchr(ver_num, '.');
-    if(null == NULL) {
-        goto error;
-    }
-
-    version = atoi(ver_num);
-    *null = '\0';
-    if(version > middle) {
-        return 1;
-    }
-    if(version < middle) {
-        return 0;
-    }
-    ver_num = ++null;
-
-    version = atoi(ver_num);
-    if(version > last) {
-        return 1;
-    }
-    return 0;
-
-error:
-    LOG_ERROR("wrong version format %s", ver);
-    return -1;
-}
-
 #define SDB_FAILMSG_BUF_SIZE    255
 int sdb_status_getfailmsg(int fd, int host_fd, char** pp_failmsg)
 {
diff --git a/src/sdb_client.h b/src/sdb_client.h
index 2b64d9d..70872f8 100644
--- a/src/sdb_client.h
+++ b/src/sdb_client.h
@@ -60,13 +60,6 @@ char *sdb_query(const char *service);
 /* return verbose error string from last operation */
 const char *sdb_error(void);
 
-/**
- * check sdbd version in the target.
- * returns true, if target version is higher then {first}.{middle}.{last}.
- * else, returns false.
- */
-int sdb_higher_ver(int first, int middle, int last);
-
 /**
  * check /usr/sbin/sdk_launch exists in the target.
  * /usr/sbin/sdk_launch is included higher than sdbd 2.2.4
diff --git a/src/sockets.c b/src/sockets.c
index 983ef18..d8428e0 100755
--- a/src/sockets.c
+++ b/src/sockets.c
@@ -603,7 +603,7 @@ void connect_to_remote(SDB_SOCKET *s, const char* destination)
     p->msg.command = A_OPEN;
     p->msg.arg0 = s->local_id;
     p->msg.data_length = len;
-    strcpy((char*) p->data, destination);
+    snprintf((char *)p->data, sizeof(p->data), "%s", destination);
     send_packet(p, s->transport);
     put_apacket(p);
 }
@@ -730,7 +730,7 @@ static int handle_request_with_t(SDB_SOCKET* socket, char* service, TRANSPORT* t
         else{
             local = strtok(request, ";");
             remote = strtok(NULL , ";");
-            if(remote == 0 || remote[1] == '\0') {
+            if(local == NULL || remote == NULL || remote[1] == '\0') {
                 forward_err = error_message(SDB_MESSAGE_ERROR, ERR_FORWARD_INVALID_PROTOCOL, NULL);
                 goto sendfail;
             }
diff --git a/src/transport.c b/src/transport.c
index e408eaa..5a1a83b 100755
--- a/src/transport.c
+++ b/src/transport.c
@@ -241,7 +241,7 @@ void send_packet(PACKET *p, TRANSPORT *t)
 
 static __inline__ void wakeup_select(T_PACKET* t_packet) {
     sdb_mutex_lock(&wakeup_select_lock, "wakeup_select");
-    writex(fdevent_wakeup_send, &t_packet, sizeof(t_packet));
+    writex(fdevent_wakeup_send, &t_packet, sizeof(&t_packet));
     sdb_mutex_unlock(&wakeup_select_lock, "wakeup_select");
 }
 
diff --git a/src/transport_usb.c b/src/transport_usb.c
index a89ed05..7c06893 100755
--- a/src/transport_usb.c
+++ b/src/transport_usb.c
@@ -129,7 +129,7 @@ void register_usb_transport(usb_handle *usb, const char *serial, platform_type p
     register_transport(t);
 
     /* tizen specific */
-    sprintf(device_name, "device-%d",get_connected_device_count(kTransportUsb));
+    snprintf(device_name, sizeof(device_name), "device-%d",get_connected_device_count(kTransportUsb));
     t->device_name = strdup(device_name);
 }
 
diff --git a/src/usb_linux.c b/src/usb_linux.c
index 005f222..16a68e3 100644
--- a/src/usb_linux.c
+++ b/src/usb_linux.c
@@ -273,7 +273,7 @@ int register_device(const char* node, const char* serial) {
                         s_strncpy(usb_serial, serial, sizeof(usb_serial));
                     } else {
                         if(!get_usb_device_serial_number(fd, usb_dev->iSerialNumber, usb_serial)) {
-                            strcpy(usb_serial, "unknown");
+                            snprintf(usb_serial, sizeof(usb_serial), "%s", "unknown");
                         }
                     }
                     s_strncpy(usb->unique_node_path, node,
diff --git a/src/utils_unix.c b/src/utils_unix.c
index fce088c..12676fe 100755
--- a/src/utils_unix.c
+++ b/src/utils_unix.c
@@ -145,7 +145,7 @@ static char* _ansi_to_utf8(const char *str)
 
     len = strlen(str);
     utf8 = (char *)calloc(len+1, sizeof(char));
-    strcpy(utf8, str);
+    snprintf(utf8, (len+1)*sizeof(char), "%s", str);
     return utf8;
 }
 
-- 
2.34.1