4rkal/monero
1
0
Fork 0
mirror of https://github.com/monero-project/monero.git synced 2025-01-28 18:56:31 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

daemon_deprecated_rpc: fix and simplify NUL terminated buffer handling

Browse Source 
Remove the arbitrary 1000 byte limit, get the large buffers off the
stack, and fix user controlled stack smashing which could plausibly
lead to arbitrary code execution.
This commit is contained in:
moneromooo-monero 2015-10-31 19:59:44 +00:00
parent 81d89c0301
commit 383d96f5e2
No known key found for this signature in database
GPG Key ID: 686F07454D6CEFC3
1 changed files with 12 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/rpc/daemon_deprecated_rpc.cpp
View File

@ -218,13 +218,8 @@ namespace
"Parameters missing.", "{}");
}
rapidjson::Document request_json;
char request_buf[1000];
strncpy(request_buf, req->params[0].ptr, req->params[0].len);
size_t zidx = sizeof(request_buf) - 1;
if (req->params[0].len < zidx)
zidx = req->params[0].len;
request_buf[zidx] = '\0';
if (request_json.Parse(request_buf).HasParseError())
std::string request_buf(req->params[0].ptr, req->params[0].len);
if (request_json.Parse(request_buf.c_str()).HasParseError())
{
return ns_rpc_create_error(buf, len, req, parse_error,
"Invalid JSON passed", "{}");
@ -478,10 +473,8 @@ namespace
}
rapidjson::Document request_json;
char request_buf[1000];
strncpy(request_buf, req->params[0].ptr, req->params[0].len);
request_buf[req->params[0].len] = '\0';
if (request_json.Parse(request_buf).HasParseError())
std::string request_buf(req->params[0].ptr, req->params[0].len);
if (request_json.Parse(request_buf.c_str()).HasParseError())
{
return ns_rpc_create_error(buf, len, req, parse_error,
"Invalid JSON passed", "{}");
@ -533,10 +526,8 @@ namespace
}
rapidjson::Document request_json;
char request_buf[1000];
strncpy(request_buf, req->params[0].ptr, req->params[0].len);
request_buf[req->params[0].len] = '\0';
if (request_json.Parse(request_buf).HasParseError())
std::string request_buf(req->params[0].ptr, req->params[0].len);
if (request_json.Parse(request_buf.c_str()).HasParseError())
{
return ns_rpc_create_error(buf, len, req, parse_error,
"Invalid JSON passed", "{}");
@ -665,10 +656,8 @@ namespace
}
rapidjson::Document request_json;
char request_buf[1000];
strncpy(request_buf, req->params[0].ptr, req->params[0].len);
request_buf[req->params[0].len] = '\0';
if (request_json.Parse(request_buf).HasParseError())
std::string request_buf(req->params[0].ptr, req->params[0].len);
if (request_json.Parse(request_buf.c_str()).HasParseError())
{
return ns_rpc_create_error(buf, len, req, parse_error,
"Invalid JSON passed", "{}");
@ -726,10 +715,8 @@ namespace
}
rapidjson::Document request_json;
char request_buf[1000];
strncpy(request_buf, req->params[0].ptr, req->params[0].len);
request_buf[req->params[0].len] = '\0';
if (request_json.Parse(request_buf).HasParseError())
std::string request_buf(req->params[0].ptr, req->params[0].len);
if (request_json.Parse(request_buf.c_str()).HasParseError())
{
return ns_rpc_create_error(buf, len, req, parse_error,
"Invalid JSON passed", "{}");
@ -810,10 +797,8 @@ namespace
}
rapidjson::Document request_json;
char request_buf[1000];
strncpy(request_buf, req->params[0].ptr, req->params[0].len);
request_buf[req->params[0].len] = '\0';
if (request_json.Parse(request_buf).HasParseError())
std::string request_buf(req->params[0].ptr, req->params[0].len);
if (request_json.Parse(request_buf.c_str()).HasParseError())
{
return ns_rpc_create_error(buf, len, req, parse_error,
"Invalid JSON passed", "{}");