Change in ...libosmocore[master]: vty/vty.c: fix vty_execute(): prevent further heap-buffer overrun

[Vadim Yanitskiy]

Vadim Yanitskiy has posted comments on this change. ( https://gerrit.osmocom.org/c/libosmocore/+/14973 )

Change subject: vty/vty.c: fix vty_execute(): prevent further heap-buffer overrun
......................................................................


Patch Set 1:

(1 comment)

https://gerrit.osmocom.org/#/c/14973/1/src/vty/vty.c 
File src/vty/vty.c:

https://gerrit.osmocom.org/#/c/14973/1/src/vty/vty.c@690 
PS1, Line 690: 	vty->buf[vty->length] = '\0';
> Rather move this to vty_read(), immediately before read() call. […]
No way, because vty_read() read()s into a temporary buffer of fixed size on stack, and then parses each received symbol in a loop. Regular ASCII symbols are getting copied to another buffer on heap, which can also be reallocated if needed:

  if (buf[i] > 31 && buf[i] < 127)
    vty_self_insert(vty, buf[i]);

Therefore neither adding '\0' before read() nor after would help.

I still can move this code to vty_read() just before calling vty_execute().



-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/14973
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I82f774ad18d0e555eb8f3590a519946d9c583c78
Gerrit-Change-Number: 14973
Gerrit-PatchSet: 1
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-Comment-Date: Tue, 30 Jul 2019 03:03:52 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: pespin <pespin at sysmocom.de>
Gerrit-MessageType: comment
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190730/b3a181e8/attachment.htm>