Added patch for bufferoverflow in logger

2025-02-02 13:56:49 +01:00 · 2025-02-02 13:56:49 +01:00 · 556daa9eca
parent f118b4545f
commit 556daa9eca
2 changed files with 50 additions and 0 deletions
--- a/MMDVMHost/0004-fix-bufferoverflow.patch
+++ b/MMDVMHost/0004-fix-bufferoverflow.patch
@ -0,0 +1,49 @@
+commit bab1b2ca3c80dc97cfeec23df291064147e4c013
+Author: Rick Altherr <kc8apf@kc8apf.net>
+Date:   Mon Jun 24 15:21:42 2024 -0700
+
+    Fix buffer overflow in Log
+    
+    Log line prefix is written to the buffer before the log message.  While
+    the buffer start was being adjusted when writing the log message via
+    vsnprintf(), the buffer size was not.  This would allow a log message to
+    write past the end of the stack-allocated buffer.
+
+diff --git a/Log.cpp b/Log.cpp
+index 752601e..9c94b0f 100644
+--- a/Log.cpp
+++ b/Log.cpp
+@@ -149,25 +149,29 @@ void Log(unsigned int level, const char* fmt, ...)
+ {
+ 	assert(fmt != NULL);
+ 
+-	char buffer[501U];
+	size_t buffer_len = 501U;
+	char buffer[buffer_len];
+	int count;
+ #if defined(_WIN32) || defined(_WIN64)
+ 	SYSTEMTIME st;
+ 	::GetSystemTime(&st);
+ 
+-	::sprintf(buffer, "%c: %04u-%02u-%02u %02u:%02u:%02u.%03u ", LEVELS[level], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds);
+	count = ::snprintf(buffer, buffer_len, "%c: %04u-%02u-%02u %02u:%02u:%02u.%03u ", LEVELS[level], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds);
+ #else
+ 	struct timeval now;
+ 	::gettimeofday(&now, NULL);
+ 
+ 	struct tm* tm = ::gmtime(&now.tv_sec);
+ 
+-	::sprintf(buffer, "%c: %04d-%02d-%02d %02d:%02d:%02d.%03lld ", LEVELS[level], tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec, now.tv_usec / 1000LL);
+	count = ::snprintf(buffer, buffer_len, "%c: %04d-%02d-%02d %02d:%02d:%02d.%03lld ", LEVELS[level], tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec, now.tv_usec / 1000LL);
+ #endif
+	assert(count >= 0);
+	buffer_len -= count;
+ 
+ 	va_list vl;
+ 	va_start(vl, fmt);
+ 
+-	::vsnprintf(buffer + ::strlen(buffer), 500, fmt, vl);
+	::vsnprintf(buffer + count, buffer_len, fmt, vl);
+ 
+ 	va_end(vl);
+ 
--- a/MMDVMHost/default.nix
+++ b/MMDVMHost/default.nix
@ -15,6 +15,7 @@ stdenv.mkDerivation {
    ./0001-patch-install-path.patch
    ./0002-fix-missing-include.patch
    ./0003-fix-null-controller.patch
+    ./0004-fix-bufferoverflow.patch
  ];

 }