Remove an vulnerability for using strcat() function in oicgroup

Rather than strcat function, strncat function with a consideration of
a maximum length of string is better to be used for security reason.

Change-Id: I12b76ef4c149c66fac2b6b2963feef86d760d85f
Signed-off-by: Jihun Ha <jihun.ha@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/7521
Reviewed-by: Uze Choi <uzchoi@samsung.com>
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>

diff --git a/resource/csdk/stack/src/oicgroup.c b/resource/csdk/stack/src/oicgroup.c
index e34d73e..4997686 100755 (executable)
--- a/resource/csdk/stack/src/oicgroup.c
+++ b/resource/csdk/stack/src/oicgroup.c
@@ -787,14 +787,14 @@ OCStackResult BuildStringFromActionSet(OCActionSet* actionset, char** desc)
     }
 
     actionTypeStr = (char *)malloc(1024);
-    if(actionTypeStr != NULL)
+    if(actionTypeStr != NULL && remaining >= strlen(actionTypeStr) + strlen(ACTION_DELIMITER) + 1)
     {
         sprintf(actionTypeStr, "%ld %u", actionset->timesteps, actionset->type);
         strncat(temp, actionTypeStr, strlen(actionTypeStr));
         remaining -= strlen(actionTypeStr);
         free(actionTypeStr);
         strncat(temp, ACTION_DELIMITER, strlen(ACTION_DELIMITER));
-        remaining--;
+        remaining -= strlen(ACTION_DELIMITER);
     }
     else
     {
@@ -809,6 +809,7 @@ OCStackResult BuildStringFromActionSet(OCActionSet* actionset, char** desc)
             res = OC_STACK_ERROR;
             goto exit;
         }
+
         strcat(temp, "uri=");
         remaining -= strlen("uri=");
         strcat(temp, action->resourceUri);
@@ -842,6 +843,7 @@ OCStackResult BuildStringFromActionSet(OCActionSet* actionset, char** desc)
                     goto exit;
                 }
                 strcat(temp, "|");
+                remaining --;
             }
         }