core: Fix a possible buffer overflow using getself_name().

If the passed buffer is smaller than MAX_NAME_LENGTH then, you will probably overflow it.
2024-03-22 13:30:51 +08:00 · 2013-08-11 15:24:47 +02:00 · 2013-08-11 15:24:47 +02:00 · 6b06431e9b
commit 6b06431e9b
parent 6b256ffdb4
5 changed files with 25 additions and 9 deletions
--- a/auto_tests/messenger_test.c
+++ b/auto_tests/messenger_test.c
@ -169,7 +169,7 @@ START_TEST(test_getself_name)
    char nick_check[len];

    setname(m, (uint8_t *)nickname, len);
-    getself_name(m, (uint8_t *)nick_check);
+    getself_name(m, (uint8_t *)nick_check, len);

    ck_assert_msg((!STRINGS_EQUAL(nickname, nick_check)),
        "getself_name failed to return the known name!\n"
--- a/core/Messenger.c
+++ b/core/Messenger.c
@ -267,10 +267,18 @@ int setname(Messenger *m, uint8_t * name, uint16_t length)
   put it in name
   name needs to be a valid memory location with a size of at least MAX_NAME_LENGTH bytes.
   return the length of the name */
-uint16_t getself_name(Messenger *m, uint8_t *name)
+uint16_t getself_name(Messenger *m, uint8_t *name, uint16_t nlen)
 {
+    uint16_t len;
+
+    if (name == NULL || nlen == 0) {
+        return 0;
+    }
+
+    len = MIN(nlen, m->name_length);
    memcpy(name, m->name, m->name_length);
-    return m->name_length;
+
+    return len;
 }

 /* get name of friendnumber
--- a/core/Messenger.h
+++ b/core/Messenger.h
@ -196,10 +196,18 @@ int m_sendaction(Messenger *m, int friendnumber, uint8_t *action, uint32_t lengt
   return -1 if failure */
 int setname(Messenger *m, uint8_t *name, uint16_t length);

-/* get our nickname
-   put it in name
-   return the length of the name*/
-uint16_t getself_name(Messenger *m, uint8_t *name);
+/**
+ * @brief Get your nickname.
+ *
+ * @param[in]  m        The messanger context to use.
+ *
+ * @param[inout]  name    Pointer to a string for the name.
+ *
+ * @param[in]  nlen     The length of the string buffer.
+ *
+ * @return Return the length of the name, 0 on error.
+ */
+uint16_t getself_name(Messenger *m, uint8_t *name, uint16_t nlen);

 /* get name of friendnumber
    put it in name
--- a/testing/nTox.c
+++ b/testing/nTox.c
@ -113,7 +113,7 @@ char *format_message(Messenger *m, char *message, int friendnum)
    if (friendnum != -1) {
            getname(m, friendnum, (uint8_t*)name);
    } else {
-            getself_name(m, (uint8_t*)name);
+            getself_name(m, (uint8_t*)name, sizeof(name));
    }
    char *msg = malloc(100+strlen(message)+strlen(name)+1);

--- a/testing/toxic/chat.c
+++ b/testing/toxic/chat.c
@ -210,7 +210,7 @@ void execute(ToxWindow *self, ChatContext *ctx, Messenger *m, char *cmd, struct
    wattroff(ctx->history, COLOR_PAIR(2));

    uint8_t selfname[MAX_NAME_LENGTH];
-    int len = getself_name(m, selfname);
+    int len = getself_name(m, selfname, sizeof(selfname));
    char msg[MAX_STR_SIZE-len-4];
    snprintf(msg, sizeof(msg), "* %s %s\n", (uint8_t*) selfname, action);