Thanks to Fabrice Gilot for reporting the problem that led to uncovering this.
Due to a misunderstanding of the return value of snprintf (it is not truncated according
to the max size passed in) in places relying on snprintf to truncate the length
overflows are possible.
This patch wraps snprintf with a new lws_snprintf() which does truncate its length to allow
the buffer limiting scheme to work properly.
All users should update with these fixes.
In 1.7.x, there's no affected code in the library itself, just a couple on instances in the
test app code.
return 0;
}
+int
+lws_snprintf(char *str, size_t size, const char *format, ...)
+{
+ va_list ap;
+ int n;
+
+ if (!size)
+ return 0;
+
+ va_start(ap, format);
+ n = vsnprintf(str, size, format, ap);
+ va_end(ap);
+
+ if (n >= size)
+ return size;
+
+ return n;
+}
+
#ifdef LWS_NO_EXTENSIONS
/* we need to provide dummy callbacks for internal exts
#define LWS_INVALID_FILE INVALID_HANDLE_VALUE
#define LWS_O_RDONLY _O_RDONLY
-#define snprintf _snprintf
+#define lws_snprintf _snprintf
#else /* NOT WIN32 */
#include <unistd.h>
LWS_VISIBLE LWS_EXTERN void
lws_set_allocator(void *(*realloc)(void *ptr, size_t size));
+/**
+ * lws_snprintf(): lws_snprintf that truncates the returned length too
+ *
+ * \param str: destination buffer
+ * \param size: bytes left in destination buffer
+ * \param format: format string
+ * \param ...: args for format
+ *
+ * This lets you correctly truncate buffers by concatenating lengths, if you
+ * reach the limit the reported length doesn't exceed the limit.
+ */
+LWS_VISIBLE LWS_EXTERN int
+lws_snprintf(char *str, size_t size, const char *format, ...);
+
#ifdef __cplusplus
}
#endif
#endif
#ifdef LWS_HAVE__SNPRINTF
-#define snprintf _snprintf
+#define lws_snprintf _snprintf
#endif
#else /* not windows --> */
struct lws_client_connect_info i;
address = argv[optind];
- snprintf(ads_port, sizeof(ads_port), "%s:%u",
+ lws_snprintf(ads_port, sizeof(ads_port), "%s:%u",
address, port & 65535);
memset(&i, 0, sizeof(i));
i.context = context;
/* create client websockets using dumb increment protocol */
address = argv[optind];
- snprintf(ads_port, sizeof(ads_port), "%s:%u",
+ lws_snprintf(ads_port, sizeof(ads_port), "%s:%u",
address, port & 65535);
lwsl_notice("Connecting to %s...\n", ads_port);
memset(&i, 0, sizeof(i));
struct tm tm;
#endif
- p += snprintf(p, 512, " { %s, \"wsi\":\"%d\", \"conns\":[",
+ p += lws_snprintf(p, 512, " { %s, \"wsi\":\"%d\", \"conns\":[",
server_info, live_wsi);
/* render the list */
if (subsequent)
*p++ = ',';
subsequent = 1;
- p += snprintf(p, sizeof(cache) - (p - start) - 1,
+ p += lws_snprintf(p, sizeof(cache) - (p - start) - 1,
"{\"peer\":\"%s\",\"time\":\"%s\","
"\"ua\":\"%s\"}",
(*pp)->ip, date, (*pp)->user_agent);