From 0aea66bd756d2df11c8a3b3b0050d7b70ef74d8f Mon Sep 17 00:00:00 2001 From: Guilherme Maciel Ferreira Date: Sat, 6 Aug 2011 14:52:07 -0300 Subject: [PATCH] Validates the ifr.ifr_name buffer size before copy (Thomas's advice) --- src/tcp/tcppinger.cpp | 29 +++++++++++++++++++++-------- 1 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/tcp/tcppinger.cpp b/src/tcp/tcppinger.cpp index 494a87a..c35655b 100644 --- a/src/tcp/tcppinger.cpp +++ b/src/tcp/tcppinger.cpp @@ -118,15 +118,28 @@ uint32_t TcpPinger::get_source_address() { struct ifreq ifr; memset( &ifr, 0, sizeof(ifr) ); - strcpy( ifr.ifr_name, SourceNetworkInterfaceName.c_str() ); - ifr.ifr_addr.sa_family = AF_INET; - int ioctl_resp = ioctl( Socket.native(), SIOCGIFADDR, &ifr ); - if ( ioctl_resp == 0) + + // make sure the ifr.ifr_name has enough room to receive the network + // interface name + size_t network_interface_name_limit = sizeof(ifr.ifr_name); + if ( network_interface_name_limit > SourceNetworkInterfaceName.size() ) + { + strncpy( ifr.ifr_name, SourceNetworkInterfaceName.c_str(), network_interface_name_limit ); + ifr.ifr_addr.sa_family = AF_INET; + + int ioctl_resp = ioctl( Socket.native(), SIOCGIFADDR, &ifr ); + if ( ioctl_resp == 0) + { + return ((uint32_t) ifr.ifr_addr.sa_data[2] & 0xFF) << 24 | + ((uint32_t) ifr.ifr_addr.sa_data[3] & 0xFF) << 16 | + ((uint32_t) ifr.ifr_addr.sa_data[4] & 0xFF) << 8 | + ((uint32_t) ifr.ifr_addr.sa_data[5] & 0xFF); + } + } + else { - return ((uint32_t) ifr.ifr_addr.sa_data[2] & 0xFF) << 24 | - ((uint32_t) ifr.ifr_addr.sa_data[3] & 0xFF) << 16 | - ((uint32_t) ifr.ifr_addr.sa_data[4] & 0xFF) << 8 | - ((uint32_t) ifr.ifr_addr.sa_data[5] & 0xFF); + GlobalLogger.error() << "Error: network interface name truncated" + << endl; } return 0; -- 1.7.1