app_rpt.c: Fix truncated link list in RPT_LINK #470
Conversation
mkmer
force-pushed
the
finddelim-fix
branch
2 times, most recently
from
ce000cc to
7d2be48
Compare
Allan-N
changed the title
mkmer
force-pushed
the
finddelim-fix
branch
4 times, most recently
from
1da8f5e to
6d8f530
Compare
| time(&mylink->linklistreceived); | ||
| rpt_mutex_unlock(&myrpt->lock); | ||
| ast_debug(7, "@@@@ node %s recieved node list %s from node %s\n", myrpt->name, tmp, mylink->name); | ||
| return; | ||
| } | ||
| if (tmp[0] == 'M') { | ||
| rest = 0; | ||
| if (sscanf(tmp, "%s %s %s %n", cmd, src, dest, &rest) < 3) { | ||
| if (sscanf(tmp, "%s %s %s %n", cmd, src, dest, &rest) < 3) { /*TODO: We should limit to sizeof(cmd, src, dest)*/ |
There was a problem hiding this comment.
It seems like tmp is mutable since we already have a copy of it (I haven't fully verified though)
Instead of the existing code, maybe we should replace with strsep for the first 3 strings and just use sscanf for the numbers? That way we can fix the issue more robustly as opposed to making a TODO?
There was a problem hiding this comment.
I don't disagree we should fix this, but in the interest of keeping this PR pointed at the actual issue maybe do it in a new PR? I'm thinking there would be a "general" fix up sscanf buffer over potentials everywhere, and hopefully the same way.
As for scanf, would %299s protect us with a lighter touch?
There was a problem hiding this comment.
Maybe something like this....
#define SIZE = 300
char format[20];
char one[SIZE], two[SIZE], three[SIZE]
sprintf(format,"%%%ds %%%ds %%%ds",SIZE-1,SIZE-1,SIZE-1);
sscanf(s, format, one, two, three);
|
I general, this "fixes" the issue as seen. The questions that remain for a future PR (in my mind anyway):
|
Add some comments around the size issues
Add TODO to sscanf buffer protection in the future
Fixes #469 - processing received link list text message was limited to 512 characters. Expanded to MAXLINKLIST.