From 35f7651c352fd4bad62261ec5f43f2f4001c2fa4 Mon Sep 17 00:00:00 2001 From: mmk2410 Date: Sun, 24 Jan 2016 13:13:16 +0100 Subject: [PATCH] more secure combine function --- rangitaki-sync.c | 74 ++++++++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/rangitaki-sync.c b/rangitaki-sync.c index 6930445..0f76614 100644 --- a/rangitaki-sync.c +++ b/rangitaki-sync.c @@ -1,60 +1,66 @@ -/* Rangitaki Sync Library +/* + * Rangitaki Sync Library * - * A program for downloading and uploading blog posts, - * blogs file and media files from a rangitaki blog. + * A program for downloading and uploading files over ssh. + * Written for the Rangitaki blogging engine. * * Proudly written in C and with use of libssh (libssh.org) * * Version: 0.1 * - * Authors: + * COPYRIGHT (c) 2015 - 2016 The Rangitaki Project + * COPYRIGHT (c) 2015 - 2016 Marcel Kapfer (mmk2410) + * * - * COPYRIGHT (c) 2015 The Rangitaki Project - * COPYRIGHT (c) 2015 Marcel Kapfer (mmk2410) - * - * License: MIT License - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE - * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION - * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION - * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * MIT License * */ #include -#include "rangitaki-sync.h" #include #include #include #include #include +#include +#include "rangitaki-sync.h" #include "dbg.h" -char * combine(const char * begin, char * end){ - char * result = malloc(strlen(begin) + strlen(end) + 1); - strcpy(result, begin); - strcat(result, end); +#define MAX_FILE_LENGTH 255 + +char * combine(char *begin, char *end){ + char *result; + + check(begin != NULL, "Begin can't be NULL."); + check(end != NULL, "End can't be NULL."); + + size_t begin_length = strnlen(begin, MAX_FILE_LENGTH - 1); + size_t end_length = strnlen(end, MAX_FILE_LENGTH - 1); + + assert(begin_length < MAX_FILE_LENGTH && "Got the begin too long."); + assert(end_length < MAX_FILE_LENGTH && "Got the end to long."); + + result = malloc(begin_length + end_length + 1); + check(result != NULL, "Failed to define result"); + + strncpy(result, begin, MAX_FILE_LENGTH); + check(result != NULL, "Failed to copy the string"); + + strncat(result, end, MAX_FILE_LENGTH * 2); + int rc = strncmp(result, begin, MAX_FILE_LENGTH * 2); + check(rc <= 0, "Failed to concat string."); + return result; + +error: + if (result) free(result); + return NULL; } char * getFilename(char *input) { - check(input != NULL, "Invalid input"); + check(input != NULL, "Input is NULL."); char* string; string = strdup(input); @@ -263,7 +269,7 @@ int scp_download(ssh_session ssh, ssh_scp scp, ssh_data *data) int rv; int size, mode; char buffer[16384]; - const char *local_dir = strdup(data->local_dir); + char *local_dir = strdup(data->local_dir); do { rc = ssh_scp_pull_request(scp);