From f9cee4dc47706cbd200da54bc15d7a3f0031e274 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Mon, 27 Feb 2017 17:35:46 +0100 Subject: [PATCH] xfrm: NUL terminate the ctx_str buffer in xfrmnl_sa_set_sec_ctx() and xfrmnl_sp_set_sec_ctx(). The user already must pass a NUL terminated string, where the NUL is included in ctx_len. Just allocate one more by and ensure the buffer is '\0' terminated. --- lib/xfrm/sa.c | 3 ++- lib/xfrm/sp.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/xfrm/sa.c b/lib/xfrm/sa.c index 00460da..995df9f 100644 --- a/lib/xfrm/sa.c +++ b/lib/xfrm/sa.c @@ -2021,7 +2021,7 @@ int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int /* Free up the old context string and allocate new one */ if (sa->sec_ctx) free (sa->sec_ctx); - if ((sa->sec_ctx = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + len)) == NULL) + if ((sa->sec_ctx = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + len)) == NULL) return -1; /* Save the new info */ @@ -2031,6 +2031,7 @@ int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int sa->sec_ctx->ctx_doi = doi; sa->sec_ctx->ctx_len = len; memcpy (sa->sec_ctx->ctx, ctx_str, len); + sa->sec_ctx->ctx[len] = '\0'; sa->ce_mask |= XFRM_SA_ATTR_SECCTX; diff --git a/lib/xfrm/sp.c b/lib/xfrm/sp.c index 0f2ebc1..727ae5c 100644 --- a/lib/xfrm/sp.c +++ b/lib/xfrm/sp.c @@ -1260,7 +1260,7 @@ int xfrmnl_sp_set_sec_ctx (struct xfrmnl_sp* sp, unsigned int len __attribute__( /* Free up the old context string and allocate new one */ if (sp->sec_ctx) free (sp->sec_ctx); - if ((sp->sec_ctx = calloc (1, sizeof (struct xfrmnl_user_sec_ctx) + ctx_len)) == NULL) + if ((sp->sec_ctx = calloc (1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + ctx_len)) == NULL) return -1; /* Save the new info */ @@ -1270,6 +1270,7 @@ int xfrmnl_sp_set_sec_ctx (struct xfrmnl_sp* sp, unsigned int len __attribute__( sp->sec_ctx->ctx_doi = doi; sp->sec_ctx->ctx_len = ctx_len; memcpy ((void *)sp->sec_ctx->ctx, (void *)ctx_str, ctx_len); + sp->sec_ctx->ctx[ctx_len] = '\0'; sp->ce_mask |= XFRM_SP_ATTR_SECCTX; -- 2.40.0