IOT-2796 prevent sprintf writing past array 25/22725/3
authorGeorge Nash <george.nash@intel.com>
Fri, 6 Oct 2017 21:46:49 +0000 (14:46 -0700)
committerRick Bell <richard.s.bell@intel.com>
Mon, 9 Oct 2017 19:04:08 +0000 (19:04 +0000)
tmp is not large enough to hold the two characters
appended to it and the terminating null character.

To make room for the terminating null character the
arrays were increased in size by 1.

Bug: https://jira.iotivity.org/browse/IOT-2796
Change-Id: I53683401a581cef89c8d32088b47d87448140ca2
Signed-off-by: George Nash <george.nash@intel.com>
resource/csdk/security/tool/json2cbor.c

index 229d1b5..0ae8f16 100644 (file)
@@ -1258,7 +1258,7 @@ OicSecCred_t *JSONToCredBin(const char *jsonStr)
 
                 ret = (jsonObjLen % 2 == 0) ? ret : OC_STACK_ERROR;
 
-                char tmp[2];
+                char tmp[3];
                 char *buf = (char *)OICCalloc(1, jsonObjLen/2);
                 for(size_t i = 0, p = 0 ; i < jsonObjLen; i+=2, ++p)
                 {
@@ -1285,7 +1285,7 @@ OicSecCred_t *JSONToCredBin(const char *jsonStr)
 
                 ret = (jsonObjLen % 2 == 0) ? ret : OC_STACK_ERROR;
 
-                char tmp[2];
+                char tmp[3];
                 char *buf = (char *)OICCalloc(1, jsonObjLen/2);
                 for(size_t i = 0, p = 0 ; i < jsonObjLen; i+=2, ++p)
                 {
@@ -1312,7 +1312,7 @@ OicSecCred_t *JSONToCredBin(const char *jsonStr)
                 jsonObjLen = strlen(jsonOpt->valuestring);
 
                 ret = (jsonObjLen % 2 == 0) ? ret : OC_STACK_ERROR;
-                char tmp[2];
+                char tmp[3];
                 char *buf = (char *)OICCalloc(1, jsonObjLen/2);
                 for(size_t i = 0, p = 0; i < jsonObjLen; i+=2, ++p)
                 {