From c2a8a1d5b12ae2282f69ddaea13edca28a4c3f62 Mon Sep 17 00:00:00 2001 From: Jihun Ha Date: Fri, 1 Apr 2016 16:38:34 +0900 Subject: [PATCH] Remove an vulnerability for using strcat() function in oicgroup Rather than strcat function, strncat function with a consideration of a maximum length of string is better to be used for security reason. Change-Id: I12b76ef4c149c66fac2b6b2963feef86d760d85f Signed-off-by: Jihun Ha Reviewed-on: https://gerrit.iotivity.org/gerrit/7515 Reviewed-by: Uze Choi Tested-by: jenkins-iotivity --- resource/csdk/stack/src/oicgroup.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/resource/csdk/stack/src/oicgroup.c b/resource/csdk/stack/src/oicgroup.c index e34d73e..4997686 100755 --- a/resource/csdk/stack/src/oicgroup.c +++ b/resource/csdk/stack/src/oicgroup.c @@ -787,14 +787,14 @@ OCStackResult BuildStringFromActionSet(OCActionSet* actionset, char** desc) } actionTypeStr = (char *)malloc(1024); - if(actionTypeStr != NULL) + if(actionTypeStr != NULL && remaining >= strlen(actionTypeStr) + strlen(ACTION_DELIMITER) + 1) { sprintf(actionTypeStr, "%ld %u", actionset->timesteps, actionset->type); strncat(temp, actionTypeStr, strlen(actionTypeStr)); remaining -= strlen(actionTypeStr); free(actionTypeStr); strncat(temp, ACTION_DELIMITER, strlen(ACTION_DELIMITER)); - remaining--; + remaining -= strlen(ACTION_DELIMITER); } else { @@ -809,6 +809,7 @@ OCStackResult BuildStringFromActionSet(OCActionSet* actionset, char** desc) res = OC_STACK_ERROR; goto exit; } + strcat(temp, "uri="); remaining -= strlen("uri="); strcat(temp, action->resourceUri); @@ -842,6 +843,7 @@ OCStackResult BuildStringFromActionSet(OCActionSet* actionset, char** desc) goto exit; } strcat(temp, "|"); + remaining --; } } -- 2.7.4