From 662578dbe79da90ff3f97ac2371b48100358ab61 Mon Sep 17 00:00:00 2001 From: ThorstenB Date: Sat, 23 Oct 2010 14:47:24 +0200 Subject: [PATCH] Buffer size safety. Do not look for '\n' beyond valid data area. Obey buffer length (in case a METAR contained a line > 512byte). --- simgear/io/sg_socket.cxx | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/simgear/io/sg_socket.cxx b/simgear/io/sg_socket.cxx index 636ff345..770bb51d 100644 --- a/simgear/io/sg_socket.cxx +++ b/simgear/io/sg_socket.cxx @@ -296,7 +296,7 @@ SGSocket::readline( char *buf, int length ) int i; for ( i = 0; i < save_len && save_buf[i] != '\n'; ++i ) ; - if ( save_buf[i] == '\n' ) { + if (( i < save_len ) && ( save_buf[i] == '\n' )) { result = i + 1; } else { // no end of line yet @@ -305,9 +305,16 @@ SGSocket::readline( char *buf, int length ) // we found an end of line + // check buffer size + int copy_length = result; + if (copy_length >= length) { + SG_LOG( SG_IO, SG_ALERT, + "Alert: readline() has line exceeding the buffer size." ); + copy_length = length-1; + } // copy to external buffer - strncpy( buf, save_buf, result ); - buf[result] = '\0'; + strncpy( buf, save_buf, copy_length ); + buf[copy_length] = '\0'; // shift save buffer //memmove( save_buf+, save_buf+, ? );