Merge pull request #4043

34de7bc2 device_ledger: fix buffer underflow on bad data from device (moneromooo-monero) 41e9cab4 device: misc cleanup (moneromooo-monero) 3b4dec2d device_ledger: fix potential buffer overflow from bad size calc (moneromooo-monero)
author: Riccardo Spagni <ric@spagni.net> 2018-07-03 15:21:56 +0200
committer: Riccardo Spagni <ric@spagni.net> 2018-07-03 15:21:56 +0200
commit: d1f102626c47bfea1f38d9012793f00933bb83eb (patch)
tree: 27cf204753cf3ee80a7a4b917160c42965049950 /src/device/device_ledger.cpp
parent: Merge pull request #4042 (diff)
parent: device_ledger: fix buffer underflow on bad data from device (diff)
download: monero-d1f102626c47bfea1f38d9012793f00933bb83eb.tar.xz
1 files changed, 8 insertions, 5 deletions
diff --git a/src/device/device_ledger.cpp b/src/device/device_ledger.cpp
index c70422887..f716f8ded 100644
--- a/src/device/device_ledger.cpp
+++ b/src/device/device_ledger.cpp
@@ -187,14 +187,15 @@ namespace hw {
     void device_ledger::logCMD() {
       if (apdu_verbose) {
         char  strbuffer[1024];
-        sprintf(strbuffer, "%.02x %.02x %.02x %.02x %.02x ",
+        snprintf(strbuffer, sizeof(strbuffer), "%.02x %.02x %.02x %.02x %.02x ",
           this->buffer_send[0],
           this->buffer_send[1],
           this->buffer_send[2],
           this->buffer_send[3],
           this->buffer_send[4]
           );
-        buffer_to_str(strbuffer+strlen(strbuffer), sizeof(strbuffer), (char*)(this->buffer_send+5), this->length_send-5);
+        const size_t len = strlen(strbuffer);
+        buffer_to_str(strbuffer+len, sizeof(strbuffer)-len, (char*)(this->buffer_send+5), this->length_send-5);
         MDEBUG( "CMD  :" << strbuffer);
       }
     }
@@ -202,11 +203,12 @@ namespace hw {
     void device_ledger::logRESP() {
       if (apdu_verbose) {
         char  strbuffer[1024];
-        sprintf(strbuffer, "%.02x%.02x ",
+        snprintf(strbuffer, sizeof(strbuffer), "%.02x%.02x ",
           this->buffer_recv[this->length_recv-2],
           this->buffer_recv[this->length_recv-1]
           );
-        buffer_to_str(strbuffer+strlen(strbuffer), sizeof(strbuffer), (char*)(this->buffer_recv), this->length_recv-2);
+        const size_t len = strlen(strbuffer);
+        buffer_to_str(strbuffer+len, sizeof(strbuffer)-len, (char*)(this->buffer_recv), this->length_recv-2);
         MDEBUG( "RESP :" << strbuffer);
 
       }
@@ -293,7 +295,7 @@ namespace hw {
      
     unsigned int device_ledger::exchange(unsigned int ok, unsigned int mask) {
       LONG rv;
-      int sw;
+      unsigned int sw;
 
       ASSERT_T0(this->length_send <= BUFFER_SEND_SIZE);
       logCMD();
@@ -302,6 +304,7 @@ namespace hw {
                          SCARD_PCI_T0, this->buffer_send, this->length_send,
                          NULL,         this->buffer_recv, &this->length_recv);
       ASSERT_RV(rv);
+      ASSERT_T0(this->length_recv >= 2);
       ASSERT_T0(this->length_recv <= BUFFER_RECV_SIZE);
       logRESP();
author	Riccardo Spagni <ric@spagni.net>	2018-07-03 15:21:56 +0200
committer	Riccardo Spagni <ric@spagni.net>	2018-07-03 15:21:56 +0200
commit	d1f102626c47bfea1f38d9012793f00933bb83eb (patch)
tree	27cf204753cf3ee80a7a4b917160c42965049950 /src/device/device_ledger.cpp
parent	Merge pull request #4042 (diff)
parent	device_ledger: fix buffer underflow on bad data from device (diff)
download	monero-d1f102626c47bfea1f38d9012793f00933bb83eb.tar.xz