Commit b9988e2b authored by Evan Huus's avatar Evan Huus

ncp2222: don't overflow buffer constructing string

Fixes stack-smashing vuln.

Somehow there was already an XXX in the code about this, but nobody realized at
the time it was worth fixing... really?

Bug: 10552
Change-Id: I849068bd6c45146339444f295b72430d3c6e08f2
Reviewed-on: default avatarEvan Huus <>
parent 8fb74b4a
......@@ -2755,8 +2755,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer,
case 18:
case 19:
case 20: /* string */
/* XXX: Should we verify: buffer_size is as large as value returned by get_finfo_length(...) ??? */
uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), get_finfo_length(PTREE_FINFO(tree_pointer)), buffer);
uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), MIN(get_finfo_length(PTREE_FINFO(tree_pointer)), buffer_size), buffer);
if (repeat_lookup > 0) {
if (strlen(temp_buffer) + strlen(buffer) < 250) {
g_strlcat(temp_buffer, buffer, 256);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment