Fix buffer overflow in _cbor_value_copy_string

jimparis · carlescufi · commit 6966f6140cb8 · 2019-10-15T19:20:29.000+02:00
The function is documented to only null-terminate when the buffer is
big enough to allow it.  Both upstream intel/tinycbor and mynewt's
version do this correctly.
diff --git a/src/cborparser.c b/src/cborparser.c
@@ -1293,6 +1293,7 @@ CborError _cbor_value_copy_string(const CborValue *value, void *buffer,
                                  size_t *buflen, CborValue *next)
 {
     bool copied_all;
+    size_t maxlen = *buflen;
     CborError err = iterate_string_chunks(value, (char*)buffer, buflen, &copied_all, next,
                                           buffer ? (IterateFunction) value->parser->d->cpy : iterate_noop);
     if (err) {
@@ -1303,7 +1304,7 @@ CborError _cbor_value_copy_string(const CborValue *value, void *buffer,
         return CborErrorOutOfMemory;
     }
 
-    if (buffer) {
+    if (buffer && *buflen < maxlen) {
         *((uint8_t *)buffer + *buflen) = '\0';
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1293,6 +1293,7 @@ CborError _cbor_value_copy_string(const CborValue value, void buffer,`
`1293`	`1293`	`size_t buflen, CborValue next)`
`1294`	`1294`	`{`
`1295`	`1295`	`bool copied_all;`
	`1296`	`+ size_t maxlen = *buflen;`
`1296`	`1297`	`CborError err = iterate_string_chunks(value, (char*)buffer, buflen, &copied_all, next,`
`1297`	`1298`	`buffer ? (IterateFunction) value->parser->d->cpy : iterate_noop);`
`1298`	`1299`	`if (err) {`
`@@ -1303,7 +1304,7 @@ CborError _cbor_value_copy_string(const CborValue value, void buffer,`
`1303`	`1304`	`return CborErrorOutOfMemory;`
`1304`	`1305`	`}`
`1305`	`1306`
`1306`		`- if (buffer) {`
	`1307`	`+ if (buffer && *buflen < maxlen) {`
`1307`	`1308`	`((uint8_t )buffer + *buflen) = '\0';`
`1308`	`1309`	`}`
`1309`	`1310`