File: 0014-Fix-stack-buffer-overflow-in-airspy_version_string_r.patch

package info (click to toggle)
airspyone-host 1.0.10-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,200 kB
  • sloc: ansic: 6,550; sh: 31; xml: 20; makefile: 2
file content (66 lines) | stat: -rw-r--r-- 2,790 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
From 959afe23db320af6f7d9b82e65dbb24b5b3d3f68 Mon Sep 17 00:00:00 2001
From: Sergey Sharybin <sergey.vfx@gmail.com>
Date: Sat, 15 Oct 2022 16:02:07 +0200
Subject: [PATCH 14/29] Fix stack buffer overflow in
 airspy_version_string_read() (#90)

If one follows the comment about length needing to be at least 128
and passes string of the maximum possible size of 255 this function
used to access stack memory past the local buffer.

Now the local buffer is zeroed out, and only maximum possible number
if bytes are copied, taking into account both local buffer and the
version string sizes. This makes it possible to pass string buffer
both larger or smaller than the local buffer without any memory
access past the buffer boundaries.

Adjusted the comment in the header stating that the string needs
to be of a certain size to avoid clipping.

There should be no changes from the API or behavior point of view.
---
 libairspy/src/airspy.c | 7 ++++---
 libairspy/src/airspy.h | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/libairspy/src/airspy.c b/libairspy/src/airspy.c
index 068d054..1c53c06 100644
--- a/libairspy/src/airspy.c
+++ b/libairspy/src/airspy.c
@@ -1547,7 +1547,7 @@ int airspy_list_devices(uint64_t *serials, int count)
 	{
 #define VERSION_LOCAL_SIZE (128)
 		int result;
-		char version_local[VERSION_LOCAL_SIZE];
+		char version_local[VERSION_LOCAL_SIZE] = "";
 
 		result = libusb_control_transfer(
 			device->usb_device,
@@ -1567,8 +1567,9 @@ int airspy_list_devices(uint64_t *serials, int count)
 		{
 			if (length > 0)
 			{
-				memcpy(version, version_local, length - 1);
-				version[length - 1] = 0;
+				const int num_bytes_to_copy = (length > VERSION_LOCAL_SIZE ? VERSION_LOCAL_SIZE : length) - 1;
+				memcpy(version, version_local, num_bytes_to_copy);
+				version[num_bytes_to_copy] = 0;
 				return AIRSPY_SUCCESS;
 			}
 			else
diff --git a/libairspy/src/airspy.h b/libairspy/src/airspy.h
index 3f442da..489962a 100644
--- a/libairspy/src/airspy.h
+++ b/libairspy/src/airspy.h
@@ -169,7 +169,7 @@ extern ADDAPI int ADDCALL airspy_spiflash_write(struct airspy_device* device, co
 extern ADDAPI int ADDCALL airspy_spiflash_read(struct airspy_device* device, const uint32_t address, const uint16_t length, unsigned char* data);
 
 extern ADDAPI int ADDCALL airspy_board_id_read(struct airspy_device* device, uint8_t* value);
-/* Parameter length shall be at least 128bytes */
+/* Parameter length shall be at least 128bytes to avoid possible string clipping */
 extern ADDAPI int ADDCALL airspy_version_string_read(struct airspy_device* device, char* version, uint8_t length);
 
 extern ADDAPI int ADDCALL airspy_board_partid_serialno_read(struct airspy_device* device, airspy_read_partid_serialno_t* read_partid_serialno);
-- 
2.47.3