From 7c227905a447a93072ed8c8da62062909b1d666c Mon Sep 17 00:00:00 2001 From: Dimi Lee Date: Fri, 11 Apr 2014 12:00:19 +0800 Subject: [PATCH] Bug 994524 - [Follow up of bug 989135] Fix ssid buffer may overflow. --- dom/system/gonk/NetworkUtils.cpp | 49 +++++++++----------------------- dom/system/gonk/NetworkUtils.h | 2 +- 2 files changed, 14 insertions(+), 37 deletions(-) diff --git a/dom/system/gonk/NetworkUtils.cpp b/dom/system/gonk/NetworkUtils.cpp index 5a4ded12366c..4ee6a69b8cc8 100644 --- a/dom/system/gonk/NetworkUtils.cpp +++ b/dom/system/gonk/NetworkUtils.cpp @@ -75,7 +75,6 @@ static const char* USB_CONFIG_DELIMIT = ","; static const char* NETD_MESSAGE_DELIMIT = " "; static const uint32_t BUF_SIZE = 1024; -static const uint32_t MAX_SSID_SIZE = 33; static uint32_t SDK_VERSION; @@ -267,28 +266,6 @@ static void split(char* str, const char* sep, nsTArray& result) } } -/** - * Helper function to do string search and replace. - */ -static void replace(const char* src, - const char* strold, - const char* strnew, - char* dst) -{ - const char *p, *q; - char *r; - uint32_t oldlen = strlen(strold); - uint32_t newlen = strlen(strnew); - - for (p = src, r = dst; (q = strstr(p, strold)) != nullptr; p = q + oldlen) { - strncpy(r, p, q - p); - r += q - p; - strncpy(r, strnew, newlen); - r += newlen; - } - strcpy(r, p); -} - /** * Helper function that implement join function. */ @@ -540,31 +517,31 @@ void NetworkUtils::setAccessPoint(CommandChain* aChain, NetworkResultOptions& aResult) { char command[MAX_COMMAND_SIZE]; - char ssid[MAX_SSID_SIZE]; - char key[MAX_COMMAND_SIZE]; + nsCString ssid(GET_CHAR(mSsid)); + nsCString key(GET_CHAR(mKey)); - escapeQuote(GET_CHAR(mSsid), ssid); - escapeQuote(GET_CHAR(mKey), key); + escapeQuote(ssid); + escapeQuote(key); if (SDK_VERSION >= 19) { snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s \"%s\" broadcast 6 %s \"%s\"", GET_CHAR(mIfname), - ssid, + ssid.get(), GET_CHAR(mSecurity), - key); + key.get()); } else if (SDK_VERSION >= 16) { snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s \"%s\" %s \"%s\"", GET_CHAR(mIfname), - ssid, + ssid.get(), GET_CHAR(mSecurity), - key); + key.get()); } else { snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s %s \"%s\" %s \"%s\" 6 0 8", GET_CHAR(mIfname), GET_CHAR(mWifictrlinterfacename), - ssid, + ssid.get(), GET_CHAR(mSecurity), - key); + key.get()); } doCommand(command, aChain, aCallback); @@ -1570,10 +1547,10 @@ bool NetworkUtils::setUSBTethering(NetworkParams& aOptions) return true; } -void NetworkUtils::escapeQuote(const char* src, char* dst) +void NetworkUtils::escapeQuote(nsCString& aString) { - replace(src, "\\", "\\\\", dst); - replace(src, "\"", "\\\"", dst); + aString.ReplaceSubstring("\\", "\\\\"); + aString.ReplaceSubstring("\"", "\\\""); } void NetworkUtils::checkUsbRndisState(NetworkParams& aOptions) diff --git a/dom/system/gonk/NetworkUtils.h b/dom/system/gonk/NetworkUtils.h index d56d9df5a0cc..eed56f00ed2a 100644 --- a/dom/system/gonk/NetworkUtils.h +++ b/dom/system/gonk/NetworkUtils.h @@ -375,7 +375,7 @@ private: void checkUsbRndisState(NetworkParams& aOptions); void dumpParams(NetworkParams& aOptions, const char* aType); - static void escapeQuote(const char* src, char* dst); + static void escapeQuote(nsCString& aString); inline uint32_t netdResponseType(uint32_t code); inline bool isBroadcastMessage(uint32_t code); inline bool isError(uint32_t code);