Merged revisions 106552 via svnmerge from
authorTilghman Lesher <tilghman@meg.abyt.es>
Fri, 7 Mar 2008 06:54:47 +0000 (06:54 +0000)
committerTilghman Lesher <tilghman@meg.abyt.es>
Fri, 7 Mar 2008 06:54:47 +0000 (06:54 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
r106552 | tilghman | 2008-03-07 00:36:33 -0600 (Fri, 07 Mar 2008) | 6 lines

Safely use the strncat() function.
(closes issue #11958)
 Reported by: norman
 Patches:
       20080209__bug11958.diff.txt uploaded by Corydon76 (license 14)

........

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@106553 65c4cc65-6c06-0410-ace0-fbb531ad65f3

13 files changed:
apps/app_chanspy.c
apps/app_rpt.c
apps/app_speech_utils.c
apps/app_voicemail.c
channels/chan_misdn.c
channels/chan_sip.c
funcs/func_enum.c
funcs/func_odbc.c
funcs/func_strings.c
main/asterisk.c
main/channel.c
main/frame.c
utils/extconf.c

index e0377d3..0bf6768 100644 (file)
@@ -682,7 +682,7 @@ static int common_exec(struct ast_channel *chan, const struct ast_flags *flags,
                                continue;
 
                        strcpy(peer_name, "spy-");
-                       strncat(peer_name, peer->name, AST_NAME_STRLEN);
+                       strncat(peer_name, peer->name, AST_NAME_STRLEN - 4 - 1);
                        ptr = strchr(peer_name, '/');
                        *ptr++ = '\0';
 
index f703aae..0957af0 100644 (file)
@@ -3321,7 +3321,7 @@ static int function_macro(struct rpt *myrpt, char *param, char *digitbuf, int co
                return DC_ERROR;
        }
        myrpt->macrotimer = MACROTIME;
-       strncat(myrpt->macrobuf, val, sizeof(myrpt->macrobuf) - 1);
+       strncat(myrpt->macrobuf, val, sizeof(myrpt->macrobuf) - strlen(myrpt->macrobuf) - 1);
        rpt_mutex_unlock(&myrpt->lock);
        return DC_COMPLETE;     
 }
@@ -3369,7 +3369,7 @@ static int function_gosub(struct rpt *myrpt, char *param, char *digitbuf, int co
                return DC_ERROR;
        }
        myrpt->gosubtimer = GOSUBTIME;
-       strncat(myrpt->gosubbuf, val, sizeof(myrpt->gosubbuf) - 1);
+       strncat(myrpt->gosubbuf, val, sizeof(myrpt->gosubbuf) - strlen(myrpt->gosubbuf) - 1);
        rpt_mutex_unlock(&myrpt->lock);
        return DC_COMPLETE;     
 }
index 2445955..221d2eb 100644 (file)
@@ -696,7 +696,7 @@ static int speech_background(struct ast_channel *chan, void *data)
                                        }
                                        time(&start);
                                        snprintf(tmp, sizeof(tmp), "%c", f->subclass);
-                                       strncat(dtmf, tmp, sizeof(dtmf));
+                                       strncat(dtmf, tmp, sizeof(dtmf) - strlen(dtmf) - 1);
                                        /* If the maximum length of the DTMF has been reached, stop now */
                                        if (max_dtmf_len && strlen(dtmf) == max_dtmf_len)
                                                done = 1;
index e250c1f..84b1f31 100644 (file)
@@ -4085,8 +4085,8 @@ static int vm_forwardoptions(struct ast_channel *chan, struct ast_vm_user *vmu,
        make_file(msgfile, sizeof(msgfile), curdir, curmsg);
        strcpy(textfile, msgfile);
        strcpy(backup, msgfile);
-       strncat(textfile, ".txt", sizeof(textfile) - 1);
-       strncat(backup, "-bak", sizeof(backup) - 1);
+       strncat(textfile, ".txt", sizeof(textfile) - strlen(textfile) - 1);
+       strncat(backup, "-bak", sizeof(backup) - strlen(backup) - 1);
 
        msg_cfg = ast_config_load(textfile, config_flags);
 
index 252b004..f94f252 100644 (file)
@@ -2384,12 +2384,12 @@ static int misdn_digit_end(struct ast_channel *ast, char digit, unsigned int dur
        switch (p->state ) {
        case MISDN_CALLING:
                if (strlen(bc->infos_pending) < sizeof(bc->infos_pending) - 1)
-                       strncat(bc->infos_pending, buf, sizeof(bc->infos_pending) - 1);
+                       strncat(bc->infos_pending, buf, sizeof(bc->infos_pending) - strlen(bc->infos_pending) - 1);
                break;
        case MISDN_CALLING_ACKNOWLEDGE:
                ast_copy_string(bc->info_dad, buf, sizeof(bc->info_dad));
                if (strlen(bc->dad) < sizeof(bc->dad) - 1)
-                       strncat(bc->dad, buf, sizeof(bc->dad) - 1);
+                       strncat(bc->dad, buf, sizeof(bc->dad) - strlen(bc->dad) - 1);
                ast_copy_string(p->ast->exten, bc->dad, sizeof(p->ast->exten));
                misdn_lib_send_event( bc, EVENT_INFORMATION);
                break;
@@ -4112,7 +4112,7 @@ cb_events(enum event_e event, struct misdn_bchannel *bc, void *user_data)
                                ast_copy_string(bc->info_dad, bc->keypad, sizeof(bc->info_dad));
                        }
 
-                       strncat(bc->dad,bc->info_dad, sizeof(bc->dad) - 1);
+                       strncat(bc->dad,bc->info_dad, sizeof(bc->dad) - strlen(bc->dad) - 1);
                        ast_copy_string(ch->ast->exten, bc->dad, sizeof(ch->ast->exten));
 
                        /* Check for Pickup Request first */
@@ -4186,7 +4186,7 @@ cb_events(enum event_e event, struct misdn_bchannel *bc, void *user_data)
                        misdn_cfg_get(0, MISDN_GEN_APPEND_DIGITS2EXTEN, &digits, sizeof(digits));
                        if (ch->state != MISDN_CONNECTED ) {
                                if (digits) {
-                                       strncat(bc->dad, bc->info_dad, sizeof(bc->dad) - 1);
+                                       strncat(bc->dad, bc->info_dad, sizeof(bc->dad) - strlen(bc->dad) - 1);
                                        ast_copy_string(ch->ast->exten, bc->dad, sizeof(ch->ast->exten));
                                        ast_cdr_update(ch->ast);
                                }
index fa9052d..4064521 100644 (file)
@@ -2208,7 +2208,7 @@ static void *_sip_tcp_helper_thread(struct sip_pvt *pvt, struct ast_tcptls_serve
                                ast_mutex_unlock(req.socket.lock);
                        if (me->stop) 
                                 goto cleanup;
-                       strncat(req.data, buf, sizeof(req.data) - req.len);
+                       strncat(req.data, buf, sizeof(req.data) - req.len - 1);
                        req.len = strlen(req.data);
                }
                parse_copy(&reqcpy, &req);
@@ -2223,7 +2223,7 @@ static void *_sip_tcp_helper_thread(struct sip_pvt *pvt, struct ast_tcptls_serve
                                if (me->stop)
                                        goto cleanup;
                                cl -= strlen(buf);
-                               strncat(req.data, buf, sizeof(req.data) - req.len);
+                               strncat(req.data, buf, sizeof(req.data) - req.len - 1);
                                req.len = strlen(req.data);
                        }
                }
index d698819..a60b748 100644 (file)
@@ -93,7 +93,7 @@ static int function_enum(struct ast_channel *chan, const char *cmd, char *data,
        for (s = p = args.number; *s; s++) {
                if (*s != '-') {
                        snprintf(tmp, sizeof(tmp), "%c", *s);
-                       strncat(num, tmp, sizeof(num));
+                       strncat(num, tmp, sizeof(num) - strlen(num) - 1);
                }
 
        }
index fe7e989..1370187 100644 (file)
@@ -379,7 +379,7 @@ static int acf_odbc_read(struct ast_channel *chan, const char *cmd, char *s, cha
                                }
 
                                if (!ast_strlen_zero(colnames))
-                                       strncat(colnames, ",", sizeof(colnames) - 1);
+                                       strncat(colnames, ",", sizeof(colnames) - strlen(colnames) - 1);
                                namelen = strlen(colnames);
 
                                /* Copy data, encoding '\' and ',' for the argument parser */
index aaa4b0a..45d476e 100644 (file)
@@ -322,7 +322,7 @@ static int hashkeys_read(struct ast_channel *chan, const char *cmd, char *data,
        AST_LIST_TRAVERSE(&chan->varshead, newvar, entries) {
                if (strncasecmp(prefix, ast_var_name(newvar), plen) == 0) {
                        /* Copy everything after the prefix */
-                       strncat(buf, ast_var_name(newvar) + plen, len);
+                       strncat(buf, ast_var_name(newvar) + plen, len - strlen(buf) - 1);
                        /* Trim the trailing ~ */
                        buf[strlen(buf) - 1] = ',';
                }
@@ -387,8 +387,8 @@ static int hash_read(struct ast_channel *chan, const char *cmd, char *data, char
                for (i = 0; i < arg2.argc; i++) {
                        snprintf(varname, sizeof(varname), HASH_FORMAT, arg.hashname, arg2.col[i]);
                        varvalue = pbx_builtin_getvar_helper(chan, varname);
-                       strncat(buf, varvalue, len);
-                       strncat(buf, ",", len);
+                       strncat(buf, varvalue, len - strlen(buf) - 1);
+                       strncat(buf, ",", len - strlen(buf) - 1);
                }
 
                /* Strip trailing comma */
index 21aee3b..37cc579 100644 (file)
@@ -2061,10 +2061,12 @@ static char *cli_prompt(EditLine *el)
                if (color_used) {
                        /* Force colors back to normal at end */
                        term_color_code(term_code, COLOR_WHITE, COLOR_BLACK, sizeof(term_code));
-                       if (strlen(term_code) > sizeof(prompt) - strlen(prompt))
-                               strncat(prompt + sizeof(prompt) - strlen(term_code) - 1, term_code, strlen(term_code));
-                       else
+                       if (strlen(term_code) > sizeof(prompt) - strlen(prompt) - 1) {
+                               ast_copy_string(prompt + sizeof(prompt) - strlen(term_code) - 1, term_code, strlen(term_code) + 1);
+                       } else {
+                               /* This looks wrong, but we've already checked the length of term_code to ensure it's safe */
                                strncat(p, term_code, sizeof(term_code));
+                       }
                }
        } else if (remotehostname)
                snprintf(prompt, sizeof(prompt), ASTERISK_PROMPT2, remotehostname);
index 3c68a71..20c2ee4 100644 (file)
@@ -4774,12 +4774,12 @@ char *ast_print_group(char *buf, int buflen, ast_group_t group)
        for (i = 0; i <= 63; i++) {     /* Max group is 63 */
                if (group & ((ast_group_t) 1 << i)) {
                        if (!first) {
-                               strncat(buf, ", ", buflen);
+                               strncat(buf, ", ", buflen - strlen(buf) - 1);
                        } else {
                                first = 0;
                        }
                        snprintf(num, sizeof(num), "%u", i);
-                       strncat(buf, num, buflen);
+                       strncat(buf, num, buflen - strlen(buf) - 1);
                }
        }
        return buf;
index 940ff5c..f2ceabf 100644 (file)
@@ -992,16 +992,16 @@ int ast_codec_pref_string(struct ast_codec_pref *pref, char *buf, size_t size)
                        slen = strlen(formatname);
                        if (slen > total_len)
                                break;
-                       strncat(buf,formatname,total_len);
+                       strncat(buf, formatname, total_len - 1); /* safe */
                        total_len -= slen;
                }
                if (total_len && x < 31 && ast_codec_pref_index(pref , x + 1)) {
-                       strncat(buf,"|",total_len);
+                       strncat(buf, "|", total_len - 1); /* safe */
                        total_len--;
                }
        }
        if (total_len) {
-               strncat(buf,")",total_len);
+               strncat(buf, ")", total_len - 1); /* safe */
                total_len--;
        }
 
index c5b9fbd..5d4b21e 100644 (file)
@@ -476,7 +476,7 @@ static void  CB_ADD_LEN(char *str, int len)
                        return;
                comment_buffer_size += CB_INCR+len+1;
        }
-       strncat(comment_buffer,str,len);
+       strncat(comment_buffer,str,len); /* safe */
        comment_buffer[cbl+len-1] = 0;
 }