txtinfo: prevent buffer overflow
authorFerry Huberts <ferry.huberts@pelagic.nl>
Fri, 3 May 2013 09:19:40 +0000 (11:19 +0200)
committerFerry Huberts <ferry.huberts@pelagic.nl>
Fri, 3 May 2013 09:20:27 +0000 (11:20 +0200)
Reported-by: Saverio Proto <zioproto@gmail.com>
Tested-by: Saverio Proto <zioproto@gmail.com>
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
lib/txtinfo/src/olsrd_txtinfo.c

index 73c3473..d1ac379 100644 (file)
@@ -64,6 +64,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <errno.h>
+#include <assert.h>
 
 #include "ipcalc.h"
 #include "olsr.h"
@@ -137,7 +138,7 @@ static char *outbuffer[MAX_CLIENTS];
 static size_t outbuffer_size[MAX_CLIENTS];
 static size_t outbuffer_written[MAX_CLIENTS];
 static int outbuffer_socket[MAX_CLIENTS];
-static int outbuffer_count;
+static int outbuffer_count = 0;
 
 static struct timer_entry *writetimer_entry;
 
@@ -254,6 +255,10 @@ ipc_action(int fd, void *data __attribute__ ((unused)), unsigned int flags __att
 
   socklen_t addrlen = sizeof(pin);
 
+  if (outbuffer_count >= MAX_CLIENTS) {
+    return;
+  }
+
   if ((ipc_connection = accept(fd, &pin.in, &addrlen)) == -1) {
 #ifndef NODEBUG
     olsr_printf(1, "(TXTINFO) accept()=%s\n", strerror(errno));
@@ -738,6 +743,8 @@ send_info(unsigned int send_what, int the_socket)
   /* version */
   if ((send_what & SIW_VERSION) == SIW_VERSION) ipc_print_version(&abuf);
 
+  assert(outbuffer_count < MAX_CLIENTS);
+
   outbuffer[outbuffer_count] = olsr_malloc(abuf.len, "txt output buffer");
   outbuffer_size[outbuffer_count] = abuf.len;
   outbuffer_written[outbuffer_count] = 0;