diff options
| author |  Dirk Hohndel <dirk@hohndel.org> | 2013-03-03 17:53:43 -0800 |
|---|---|---|
| committer | Dirk Hohndel <dirk@hohndel.org> | 2013-03-03 20:18:23 -0800 |
| commit | 01291929582ac573d7efd7fba3dbe061c9d70f9a (patch) | |
| tree | cc836d5c2e40d26dd8f39dd5bad6c5193f2ef04d /webservice.c | |
| parent | 93eeb03d67baac26da4153a163bf35567b106524 (diff) | |
| download | subsurface-01291929582ac573d7efd7fba3dbe061c9d70f9a.tar.gz | |
Try to capture some more potential buffer overflows caused by localization
A couple of these could clearly cause a crash just like the one fixed by
commit 00865f5a1e1a ("equipment.c: Fix potential buffer overflow in
size_data_funct()").
One would append user input to fixed length buffer without checking.
We were hardcoding the (correct) max path length in macos.c - replaced by
the actual OS constant.
But the vast majority are just extremely generous guesses how long
localized strings could possibly be.
Yes, this commit is likely leaning towards overkill. But we have now been
bitten by buffer overflow crashes twice that were caused by localization,
so I tried to go through all of the code and identify every possible
buffer that could be affected by this.
Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
Diffstat (limited to 'webservice.c')
| -rw-r--r-- | webservice.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/webservice.c b/webservice.c index be3e1d273..9cdd75ced 100644 --- a/webservice.c +++ b/webservice.c @@ -49,11 +49,11 @@ gboolean webservice_request_user_xml(const gchar *user_id, SoupMessage *msg; SoupSession *session; gboolean ret = FALSE; - gchar url[80] = {0}; + gchar url[256] = {0}; session = soup_session_async_new(); strcat(url, "http://api.hohndel.org/api/dive/get/?login="); - strcat(url, user_id); + strncat(url, user_id, sizeof(url) - strlen(url) - 1); msg = soup_message_new("GET", url); soup_message_headers_append(msg->request_headers, "Accept", "text/xml"); soup_session_send_message(session, msg); @@ -115,7 +115,7 @@ static void download_dialog_connect_cb(GtkWidget *w, gpointer data) guint len, status_connect, status_xml; gchar *xmldata; gboolean ret; - gchar err[128] = {0}; + gchar err[256] = {0}; gtk_label_set_text(GTK_LABEL(state->status), _("Connecting...")); gtk_widget_set_sensitive(state->apply, FALSE); @@ -126,7 +126,7 @@ static void download_dialog_connect_cb(GtkWidget *w, gpointer data) if (status_xml != DD_STATUS_OK) ret = FALSE; } else { - sprintf(err, "%s %u!", download_dialog_status_text(DD_STATUS_ERROR_CONNECT), status_connect); + snprintf(err, sizeof(err), "%s %u!", download_dialog_status_text(DD_STATUS_ERROR_CONNECT), status_connect); gtk_label_set_text(GTK_LABEL(state->status), err); } state->xmldata = xmldata; |