From 407c7a10f54e49c9ee7fb496285e0901b864ed8c Mon Sep 17 00:00:00 2001 From: Rebecca Palmer Date: Tue, 17 Dec 2013 17:40:33 +0000 Subject: [PATCH] Fix buffer overflow CVE-2012-2091 (thanks to Saikrishna Arcot) https://bugs.launchpad.net/ubuntu/+source/simgear/+bug/1077624 (discussed in comments 65-78) (This is already fixed in 2.12 but appears to have been forgotten in 2.99; the other vulnerabilities described there are already fixed.) --- simgear/io/sg_socket_udp.cxx | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/simgear/io/sg_socket_udp.cxx b/simgear/io/sg_socket_udp.cxx index acf7e9e5..bfc8f7bd 100644 --- a/simgear/io/sg_socket_udp.cxx +++ b/simgear/io/sg_socket_udp.cxx @@ -103,9 +103,14 @@ int SGSocketUDP::read( char *buf, int length ) { return 0; } + if (length <= 0) { + return 0; + } int result; + // prevent buffer overflow + int maxsize = std::min(length - 1, SG_IO_MAX_MSG_SIZE); - if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) { + if ( (result = sock.recv(buf, maxsize, 0)) >= 0 ) { buf[result] = '\0'; // printf("msg received = %s\n", buf); } @@ -120,10 +125,16 @@ int SGSocketUDP::readline( char *buf, int length ) { return 0; } + if (length <= 0) { + return 0; + } // cout << "sock = " << sock << endl; char *buf_ptr = save_buf + save_len; - int result = sock.recv(buf_ptr, SG_IO_MAX_MSG_SIZE, 0); + // prevent buffer overflow (size of save_buf is 2 * SG_IO_MAX_MSG_SIZE) + int maxsize = save_len < SG_IO_MAX_MSG_SIZE ? + SG_IO_MAX_MSG_SIZE : 2 * SG_IO_MAX_MSG_SIZE - save_len; + int result = sock.recv(buf_ptr, maxsize, 0); // printf("msg received = %s\n", buf); save_len += result; @@ -142,6 +153,8 @@ int SGSocketUDP::readline( char *buf, int length ) { // we found an end of line // copy to external buffer + // prevent buffer overflow + result = std::min(result,length - 1); strncpy( buf, save_buf, result ); buf[result] = '\0'; // cout << "sg_socket line = " << buf << endl; -- 2.39.5