Fix possible strncat buffer overflows

2025-07-24 11:16:34 +00:00 · 2018-11-22 15:41:30 +01:00 · 2018-11-22 15:41:30 +01:00 · 6c87ab205a
commit 6c87ab205a
parent d71ae77900
12 changed files with 21 additions and 17 deletions
--- a/sonoff/_changelog.ino
+++ b/sonoff/_changelog.ino
@ -3,6 +3,7 @@
 * Add additional start-up delay during initial wifi connection
 * Add support for I2C MGC3130 Electric Field Effect sensor by Christian Baars (#3774, #4404)
 * Add initial support for Hass sensor discovery (#4380)
+ * Fix possible strncat buffer overflows
 *
 * 6.3.0.11 20181120
 * Add delays removed in 6.3.0.9 (#4233)
--- a/sonoff/support.ino
+++ b/sonoff/support.ino
@ -452,7 +452,7 @@ char* GetPowerDevice(char* dest, uint8_t idx, size_t size, uint8_t option)
  strncpy_P(dest, S_RSLT_POWER, size);                // POWER
  if ((devices_present + option) > 1) {
    snprintf_P(sidx, sizeof(sidx), PSTR("%d"), idx);  // x
-    strncat(dest, sidx, size);                        // POWERx
+    strncat(dest, sidx, size - strlen(dest) -1);      // POWERx
  }
  return dest;
 }
@ -1030,7 +1030,7 @@ void I2cScan(char *devs, unsigned int devs_len)
    }
  }
  if (any) {
-    strncat(devs, "\"}", devs_len);
+    strncat(devs, "\"}", devs_len - strlen(devs) -1);
  }
  else {
    snprintf_P(devs, devs_len, PSTR("{\"" D_CMND_I2CSCAN "\":\"" D_JSON_I2CSCAN_NO_DEVICES_FOUND "\"}"));
@ -1157,7 +1157,7 @@ void AddLog_P(byte loglevel, const char *formatP, const char *formatP2)

  snprintf_P(log_data, sizeof(log_data), formatP);
  snprintf_P(message, sizeof(message), formatP2);
-  strncat(log_data, message, sizeof(log_data));
+  strncat(log_data, message, sizeof(log_data) - strlen(log_data) -1);
  AddLog(loglevel);
 }

--- a/sonoff/support_features.ino
+++ b/sonoff/support_features.ino
@ -358,8 +358,10 @@ void GetFeatures(void)
 #ifdef USE_TX20_WIND_SENSOR
  feature_sns2 |= 0x00002000;  // xsns_35_tx20.ino
 #endif
+#ifdef USE_MGC3130
+  feature_sns2 |= 0x00004000;  // xsns_36_mgc3130.ino
+#endif

-//  feature_sns2 |= 0x00004000;
 //  feature_sns2 |= 0x00008000;
 //  feature_sns2 |= 0x00010000;
 //  feature_sns2 |= 0x00020000;
--- a/sonoff/support_rtc.ino
+++ b/sonoff/support_rtc.ino
@ -124,12 +124,13 @@ String GetDateAndTime(byte time_type)
      tmpTime = RtcTime;
  }

+
  snprintf_P(dt, sizeof(dt), PSTR("%04d-%02d-%02dT%02d:%02d:%02d"),
    tmpTime.year, tmpTime.month, tmpTime.day_of_month, tmpTime.hour, tmpTime.minute, tmpTime.second);

  if (Settings.flag3.time_append_timezone && (DT_LOCAL == time_type)) {
 //  if (Settings.flag3.time_append_timezone && ((DT_LOCAL == time_type) || (DT_ENERGY == time_type))) {
-    strncat(dt, GetTimeZone().c_str(), sizeof(dt));
+    strncat(dt, GetTimeZone().c_str(), sizeof(dt) - strlen(dt) -1);
  }

  return String(dt);  // 2017-03-07T11:08:02-07:00
--- a/sonoff/xdrv_02_mqtt.ino
+++ b/sonoff/xdrv_02_mqtt.ino
@ -925,7 +925,7 @@ boolean Xdrv02(byte function)
    switch (function) {
 #ifdef USE_WEBSERVER
      case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_MQTT, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_MQTT, sizeof(mqtt_data) - strlen(mqtt_data) -1);
        break;
      case FUNC_WEB_ADD_HANDLER:
        WebServer->on("/" WEB_HANDLE_MQTT, HandleMqttConfiguration);
--- a/sonoff/xdrv_07_domoticz.ino
+++ b/sonoff/xdrv_07_domoticz.ino
@ -485,7 +485,7 @@ boolean Xdrv07(byte function)
    switch (function) {
 #ifdef USE_WEBSERVER
      case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_DOMOTICZ, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_DOMOTICZ, sizeof(mqtt_data) - strlen(mqtt_data) -1);
        break;
      case FUNC_WEB_ADD_HANDLER:
        WebServer->on("/" WEB_HANDLE_DOMOTICZ, HandleDomoticzConfiguration);
--- a/sonoff/xdrv_09_timers.ino
+++ b/sonoff/xdrv_09_timers.ino
@ -757,9 +757,9 @@ boolean Xdrv09(byte function)
 #ifdef USE_TIMERS_WEB
    case FUNC_WEB_ADD_BUTTON:
 #ifdef USE_RULES
-      strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data));
+      strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data) - strlen(mqtt_data) -1);
 #else
-      if (devices_present) { strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data)); }
+      if (devices_present) { strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data) - strlen(mqtt_data) -1); }
 #endif  // USE_RULES
      break;
    case FUNC_WEB_ADD_HANDLER:
--- a/sonoff/xdrv_11_knx.ino
+++ b/sonoff/xdrv_11_knx.ino
@ -1290,7 +1290,7 @@ boolean Xdrv11(byte function)
 #ifdef USE_WEBSERVER
 #ifdef USE_KNX_WEB_MENU
      case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_KNX, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_KNX, sizeof(mqtt_data) - strlen(mqtt_data) -1);
        break;
      case FUNC_WEB_ADD_HANDLER:
        WebServer->on("/kn", HandleKNXConfiguration);
--- a/sonoff/xdrv_13_display.ino
+++ b/sonoff/xdrv_13_display.ino
@ -819,11 +819,11 @@ void DisplayMqttSubscribe(void)
      if (!strcmp_P(tp, PSTR(MQTT_TOKEN_PREFIX))) {
        break;
      }
-      strncat_P(ntopic, PSTR("+/"), sizeof(ntopic));           // Add single-level wildcards
+      strncat_P(ntopic, PSTR("+/"), sizeof(ntopic) - strlen(ntopic) -1);           // Add single-level wildcards
      tp = strtok(NULL, "/");
    }
-    strncat(ntopic, Settings.mqtt_prefix[2], sizeof(ntopic));  // Subscribe to tele messages
-    strncat_P(ntopic, PSTR("/#"), sizeof(ntopic));             // Add multi-level wildcard
+    strncat(ntopic, Settings.mqtt_prefix[2], sizeof(ntopic) - strlen(ntopic) -1);  // Subscribe to tele messages
+    strncat_P(ntopic, PSTR("/#"), sizeof(ntopic) - strlen(ntopic) -1);             // Add multi-level wildcard
    MqttSubscribe(ntopic);
    disp_subscribed = 1;
  } else {
--- a/sonoff/xdsp_03_matrix.ino
+++ b/sonoff/xdsp_03_matrix.ino
@ -251,7 +251,7 @@ void MatrixPrintLog(uint8_t direction)
          space = 0;
        }
        if (space < 2) {
-          strncat(mtx_buffer, (const char*)txt +i, 1);
+          strncat(mtx_buffer, (const char*)txt +i, (strlen(mtx_buffer) < sizeof(mtx_buffer) -1) ? 1 : 0);
        }
        i++;
      }
--- a/sonoff/xsns_34_hx711.ino
+++ b/sonoff/xsns_34_hx711.ino
@ -496,10 +496,10 @@ boolean Xsns34(byte function)
        break;
 #ifdef USE_HX711_GUI
      case FUNC_WEB_ADD_MAIN_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_MAIN_HX711, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_MAIN_HX711, sizeof(mqtt_data) - strlen(mqtt_data) -1);
        break;
      case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_HX711, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_HX711, sizeof(mqtt_data) - strlen(mqtt_data) -1);
        break;
      case FUNC_WEB_ADD_HANDLER:
        WebServer->on("/" WEB_HANDLE_HX711, HandleHxAction);
--- a/tools/decode-status.py
+++ b/tools/decode-status.py
@ -132,7 +132,7 @@ a_features = [[
    "USE_MCP230xx","USE_MPR121","USE_CCS811","USE_MPU6050",
    "USE_MCP230xx_OUTPUT","USE_MCP230xx_DISPLAYOUTPUT","USE_HLW8012","USE_CSE7766",
    "USE_MCP39F501","USE_PZEM_AC","USE_DS3231","USE_HX711",
-    "USE_PZEM_DC","USE_TX20_WIND_SENSOR","","",
+    "USE_PZEM_DC","USE_TX20_WIND_SENSOR","USE_MGC3130","",
    "","","","",
    "","","","",
    "","","","",