-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't overflow callsign buffer in QTC parsing #438
Conversation
Two questions:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a question, please take a look at that. Btw it's a nice catch, thanks!
strncpy must copy at most one less byte than what fits into the destination buffer, so we can properly NUL-terminate it. While at it, introduce a proper constant for the size of the buffer.
988dad2
to
9554c0c
Compare
Since the old buffer was only 15 bytes, and no one complained about problems, I figured that everyone was happy with 14 characters in practice. We could resize the buffer, though. NUL-termination is done a few lines down in https://github.com/Tlf/tlf/pull/438/files#diff-3fa5e7b67061091b07b1e965f8b50fe4fe7e4824ba82aabdafeb0be7a71722b3R162, though perhaps that I removed the duplicated macro. (It turned out that including qtcvars.h there is enough, apparently that solution was too complicated for me yesterday night 🥱 ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Before that check
No worries, I'm sure everyone was in same situation 😄. Thanks for contributing! @dl1jbe Thomas feel free to merge if you think everything is okay. |
If we assume a long callsign with 14 characters it may happen that the while loop terminates way beyond the callsign field and then the \0 goes out of bounds. I think we should fix these problem while we at it now. Limiting the number of tests (for{} loop instead of while{}) or using max(i, QTC_CALL_SIZE-1) could do. Other way would be to zero out the buffer before and copy characters until ' ' character found or limit reached. |
May be a new condition would be enough here: while (i < QTC_CALL_SIZE && callsign[i] != ' ') { (I intentionally put the new condition forward.) |
That was what I meant by 'limiting the number of tests'. But shouldn't it be 'i < QTC_CALL_SIZE - 1' to keep the index inside the field? |
ah, thanks!
You're right, @df7cb do you want to add this new condition to this patch? |
Seems not so. So please see the code at https://github.com/Tlf/tlf/tree/qtc_call_size That should do it. @airween BTW, we allow 'SEND', 'RECV' and 'SEND|RECV' for qtcdirection, but in more than one case we check only for 'direction == SEND' or 'direction == RECV'. That would exclude the case when both are set simultaneously. Can you please check and verify that the code is correct in these cases. |
Then I suggest merge this PR and then I'm going to add that fix too.
I can take a look it later - thanks for letting know this. |
Well. I'll merge it and add the fix for the loop termination afterwards. Anyway thanks for the PR to @df7cb. |
Thanks for merging, and sorry for the lack of earlier feedback, my TODO list is packed unhealthily dense. |
strncpy must copy at most one less byte than what fits into the destination buffer, so we can properly NUL-terminate it.
While at it, introduce a proper constant for the size of the buffer.