From 383d96f5e2996e3b6b452527279c936c3dbe07b5 Mon Sep 17 00:00:00 2001 From: moneromooo-monero Date: Sat, 31 Oct 2015 19:59:44 +0000 Subject: [PATCH] daemon_deprecated_rpc: fix and simplify NUL terminated buffer handling Remove the arbitrary 1000 byte limit, get the large buffers off the stack, and fix user controlled stack smashing which could plausibly lead to arbitrary code execution. --- src/rpc/daemon_deprecated_rpc.cpp | 39 ++++++++++--------------------- 1 file changed, 12 insertions(+), 27 deletions(-) diff --git a/src/rpc/daemon_deprecated_rpc.cpp b/src/rpc/daemon_deprecated_rpc.cpp index b41bd7cbc..3bad883c4 100644 --- a/src/rpc/daemon_deprecated_rpc.cpp +++ b/src/rpc/daemon_deprecated_rpc.cpp @@ -218,13 +218,8 @@ namespace "Parameters missing.", "{}"); } rapidjson::Document request_json; - char request_buf[1000]; - strncpy(request_buf, req->params[0].ptr, req->params[0].len); - size_t zidx = sizeof(request_buf) - 1; - if (req->params[0].len < zidx) - zidx = req->params[0].len; - request_buf[zidx] = '\0'; - if (request_json.Parse(request_buf).HasParseError()) + std::string request_buf(req->params[0].ptr, req->params[0].len); + if (request_json.Parse(request_buf.c_str()).HasParseError()) { return ns_rpc_create_error(buf, len, req, parse_error, "Invalid JSON passed", "{}"); @@ -478,10 +473,8 @@ namespace } rapidjson::Document request_json; - char request_buf[1000]; - strncpy(request_buf, req->params[0].ptr, req->params[0].len); - request_buf[req->params[0].len] = '\0'; - if (request_json.Parse(request_buf).HasParseError()) + std::string request_buf(req->params[0].ptr, req->params[0].len); + if (request_json.Parse(request_buf.c_str()).HasParseError()) { return ns_rpc_create_error(buf, len, req, parse_error, "Invalid JSON passed", "{}"); @@ -533,10 +526,8 @@ namespace } rapidjson::Document request_json; - char request_buf[1000]; - strncpy(request_buf, req->params[0].ptr, req->params[0].len); - request_buf[req->params[0].len] = '\0'; - if (request_json.Parse(request_buf).HasParseError()) + std::string request_buf(req->params[0].ptr, req->params[0].len); + if (request_json.Parse(request_buf.c_str()).HasParseError()) { return ns_rpc_create_error(buf, len, req, parse_error, "Invalid JSON passed", "{}"); @@ -665,10 +656,8 @@ namespace } rapidjson::Document request_json; - char request_buf[1000]; - strncpy(request_buf, req->params[0].ptr, req->params[0].len); - request_buf[req->params[0].len] = '\0'; - if (request_json.Parse(request_buf).HasParseError()) + std::string request_buf(req->params[0].ptr, req->params[0].len); + if (request_json.Parse(request_buf.c_str()).HasParseError()) { return ns_rpc_create_error(buf, len, req, parse_error, "Invalid JSON passed", "{}"); @@ -726,10 +715,8 @@ namespace } rapidjson::Document request_json; - char request_buf[1000]; - strncpy(request_buf, req->params[0].ptr, req->params[0].len); - request_buf[req->params[0].len] = '\0'; - if (request_json.Parse(request_buf).HasParseError()) + std::string request_buf(req->params[0].ptr, req->params[0].len); + if (request_json.Parse(request_buf.c_str()).HasParseError()) { return ns_rpc_create_error(buf, len, req, parse_error, "Invalid JSON passed", "{}"); @@ -810,10 +797,8 @@ namespace } rapidjson::Document request_json; - char request_buf[1000]; - strncpy(request_buf, req->params[0].ptr, req->params[0].len); - request_buf[req->params[0].len] = '\0'; - if (request_json.Parse(request_buf).HasParseError()) + std::string request_buf(req->params[0].ptr, req->params[0].len); + if (request_json.Parse(request_buf.c_str()).HasParseError()) { return ns_rpc_create_error(buf, len, req, parse_error, "Invalid JSON passed", "{}");