Fix buffer overflow CVE-2012-2091 (thanks to Saikrishna Arcot)

https://bugs.launchpad.net/ubuntu/+source/simgear/+bug/1077624 (discussed in comments 65-78) (This is already fixed in 2.12 but appears to have been forgotten in 2.99; the other vulnerabilities described there are already fixed.)
2013-12-17 17:40:33 +00:00 · 2013-12-17 17:40:33 +00:00 · 407c7a10f5
commit 407c7a10f5
parent 16fa4d1d17
1 changed files with 15 additions and 2 deletions
--- a/simgear/io/sg_socket_udp.cxx
+++ b/simgear/io/sg_socket_udp.cxx
@ -103,9 +103,14 @@ int SGSocketUDP::read( char *buf, int length ) {
 	return 0;
    }
    if (length <= 0) {
        return 0;
    }
    int result;
    // prevent buffer overflow
    int maxsize = std::min(length - 1, SG_IO_MAX_MSG_SIZE);
-    if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) {
+    if ( (result = sock.recv(buf, maxsize, 0)) >= 0 ) {
 	buf[result] = '\0';
 	// printf("msg received = %s\n", buf);
    }
@ -120,10 +125,16 @@ int SGSocketUDP::readline( char *buf, int length ) {
 	return 0;
    }
    if (length <= 0) {
        return 0;
    }
    // cout << "sock = " << sock << endl;
    char *buf_ptr = save_buf + save_len;
-    int result = sock.recv(buf_ptr, SG_IO_MAX_MSG_SIZE, 0);
+    // prevent buffer overflow (size of save_buf is 2 * SG_IO_MAX_MSG_SIZE)
    int maxsize = save_len < SG_IO_MAX_MSG_SIZE ?
    SG_IO_MAX_MSG_SIZE : 2 * SG_IO_MAX_MSG_SIZE - save_len;
    int result = sock.recv(buf_ptr, maxsize, 0);
    // printf("msg received = %s\n", buf);
    save_len += result;
@ -142,6 +153,8 @@ int SGSocketUDP::readline( char *buf, int length ) {
    // we found an end of line
    // copy to external buffer
    // prevent buffer overflow
    result = std::min(result,length - 1);
    strncpy( buf, save_buf, result );
    buf[result] = '\0';
    // cout << "sg_socket line = " << buf << endl;