From 6c87ab205a9cc7d146d9f6ce48b05525d789d9eb Mon Sep 17 00:00:00 2001
From: Theo Arends <11044339+arendst@users.noreply.github.com>
Date: Thu, 22 Nov 2018 15:41:30 +0100
Subject: [PATCH] Fix possible strncat buffer overflows

Fix possible strncat buffer overflows
---
 sonoff/_changelog.ino       | 1 +
 sonoff/support.ino          | 6 +++---
 sonoff/support_features.ino | 4 +++-
 sonoff/support_rtc.ino      | 3 ++-
 sonoff/xdrv_02_mqtt.ino     | 2 +-
 sonoff/xdrv_07_domoticz.ino | 2 +-
 sonoff/xdrv_09_timers.ino   | 4 ++--
 sonoff/xdrv_11_knx.ino      | 2 +-
 sonoff/xdrv_13_display.ino  | 6 +++---
 sonoff/xdsp_03_matrix.ino   | 2 +-
 sonoff/xsns_34_hx711.ino    | 4 ++--
 tools/decode-status.py      | 2 +-
 12 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/sonoff/_changelog.ino b/sonoff/_changelog.ino
index 26fea49e6..91e7ebe9c 100644
--- a/sonoff/_changelog.ino
+++ b/sonoff/_changelog.ino
@@ -3,6 +3,7 @@
  * Add additional start-up delay during initial wifi connection
  * Add support for I2C MGC3130 Electric Field Effect sensor by Christian Baars (#3774, #4404)
  * Add initial support for Hass sensor discovery (#4380)
+ * Fix possible strncat buffer overflows
  *
  * 6.3.0.11 20181120
  * Add delays removed in 6.3.0.9 (#4233)
diff --git a/sonoff/support.ino b/sonoff/support.ino
index f32657c37..234764791 100644
--- a/sonoff/support.ino
+++ b/sonoff/support.ino
@@ -452,7 +452,7 @@ char* GetPowerDevice(char* dest, uint8_t idx, size_t size, uint8_t option)
   strncpy_P(dest, S_RSLT_POWER, size);                // POWER
   if ((devices_present + option) > 1) {
     snprintf_P(sidx, sizeof(sidx), PSTR("%d"), idx);  // x
-    strncat(dest, sidx, size);                        // POWERx
+    strncat(dest, sidx, size - strlen(dest) -1);      // POWERx
   }
   return dest;
 }
@@ -1030,7 +1030,7 @@ void I2cScan(char *devs, unsigned int devs_len)
     }
   }
   if (any) {
-    strncat(devs, "\"}", devs_len);
+    strncat(devs, "\"}", devs_len - strlen(devs) -1);
   }
   else {
     snprintf_P(devs, devs_len, PSTR("{\"" D_CMND_I2CSCAN "\":\"" D_JSON_I2CSCAN_NO_DEVICES_FOUND "\"}"));
@@ -1157,7 +1157,7 @@ void AddLog_P(byte loglevel, const char *formatP, const char *formatP2)
 
   snprintf_P(log_data, sizeof(log_data), formatP);
   snprintf_P(message, sizeof(message), formatP2);
-  strncat(log_data, message, sizeof(log_data));
+  strncat(log_data, message, sizeof(log_data) - strlen(log_data) -1);
   AddLog(loglevel);
 }
 
diff --git a/sonoff/support_features.ino b/sonoff/support_features.ino
index 826e73090..2e5e894ce 100644
--- a/sonoff/support_features.ino
+++ b/sonoff/support_features.ino
@@ -358,8 +358,10 @@ void GetFeatures(void)
 #ifdef USE_TX20_WIND_SENSOR
   feature_sns2 |= 0x00002000;  // xsns_35_tx20.ino
 #endif
+#ifdef USE_MGC3130
+  feature_sns2 |= 0x00004000;  // xsns_36_mgc3130.ino
+#endif
 
-//  feature_sns2 |= 0x00004000;
 //  feature_sns2 |= 0x00008000;
 //  feature_sns2 |= 0x00010000;
 //  feature_sns2 |= 0x00020000;
diff --git a/sonoff/support_rtc.ino b/sonoff/support_rtc.ino
index b6067bd15..4ba0747a5 100644
--- a/sonoff/support_rtc.ino
+++ b/sonoff/support_rtc.ino
@@ -124,12 +124,13 @@ String GetDateAndTime(byte time_type)
       tmpTime = RtcTime;
   }
 
+
   snprintf_P(dt, sizeof(dt), PSTR("%04d-%02d-%02dT%02d:%02d:%02d"),
     tmpTime.year, tmpTime.month, tmpTime.day_of_month, tmpTime.hour, tmpTime.minute, tmpTime.second);
 
   if (Settings.flag3.time_append_timezone && (DT_LOCAL == time_type)) {
 //  if (Settings.flag3.time_append_timezone && ((DT_LOCAL == time_type) || (DT_ENERGY == time_type))) {
-    strncat(dt, GetTimeZone().c_str(), sizeof(dt));
+    strncat(dt, GetTimeZone().c_str(), sizeof(dt) - strlen(dt) -1);
   }
 
   return String(dt);  // 2017-03-07T11:08:02-07:00
diff --git a/sonoff/xdrv_02_mqtt.ino b/sonoff/xdrv_02_mqtt.ino
index b4876d436..34025c5fc 100644
--- a/sonoff/xdrv_02_mqtt.ino
+++ b/sonoff/xdrv_02_mqtt.ino
@@ -925,7 +925,7 @@ boolean Xdrv02(byte function)
     switch (function) {
 #ifdef USE_WEBSERVER
       case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_MQTT, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_MQTT, sizeof(mqtt_data) - strlen(mqtt_data) -1);
         break;
       case FUNC_WEB_ADD_HANDLER:
         WebServer->on("/" WEB_HANDLE_MQTT, HandleMqttConfiguration);
diff --git a/sonoff/xdrv_07_domoticz.ino b/sonoff/xdrv_07_domoticz.ino
index a4851a7b8..40c3127ec 100644
--- a/sonoff/xdrv_07_domoticz.ino
+++ b/sonoff/xdrv_07_domoticz.ino
@@ -485,7 +485,7 @@ boolean Xdrv07(byte function)
     switch (function) {
 #ifdef USE_WEBSERVER
       case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_DOMOTICZ, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_DOMOTICZ, sizeof(mqtt_data) - strlen(mqtt_data) -1);
         break;
       case FUNC_WEB_ADD_HANDLER:
         WebServer->on("/" WEB_HANDLE_DOMOTICZ, HandleDomoticzConfiguration);
diff --git a/sonoff/xdrv_09_timers.ino b/sonoff/xdrv_09_timers.ino
index 6fa499efd..fb7c2cef5 100644
--- a/sonoff/xdrv_09_timers.ino
+++ b/sonoff/xdrv_09_timers.ino
@@ -757,9 +757,9 @@ boolean Xdrv09(byte function)
 #ifdef USE_TIMERS_WEB
     case FUNC_WEB_ADD_BUTTON:
 #ifdef USE_RULES
-      strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data));
+      strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data) - strlen(mqtt_data) -1);
 #else
-      if (devices_present) { strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data)); }
+      if (devices_present) { strncat_P(mqtt_data, HTTP_BTN_MENU_TIMER, sizeof(mqtt_data) - strlen(mqtt_data) -1); }
 #endif  // USE_RULES
       break;
     case FUNC_WEB_ADD_HANDLER:
diff --git a/sonoff/xdrv_11_knx.ino b/sonoff/xdrv_11_knx.ino
index 5391cd17c..b4fbefc18 100644
--- a/sonoff/xdrv_11_knx.ino
+++ b/sonoff/xdrv_11_knx.ino
@@ -1290,7 +1290,7 @@ boolean Xdrv11(byte function)
 #ifdef USE_WEBSERVER
 #ifdef USE_KNX_WEB_MENU
       case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_KNX, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_KNX, sizeof(mqtt_data) - strlen(mqtt_data) -1);
         break;
       case FUNC_WEB_ADD_HANDLER:
         WebServer->on("/kn", HandleKNXConfiguration);
diff --git a/sonoff/xdrv_13_display.ino b/sonoff/xdrv_13_display.ino
index fe93fc8ca..93f61c739 100644
--- a/sonoff/xdrv_13_display.ino
+++ b/sonoff/xdrv_13_display.ino
@@ -819,11 +819,11 @@ void DisplayMqttSubscribe(void)
       if (!strcmp_P(tp, PSTR(MQTT_TOKEN_PREFIX))) {
         break;
       }
-      strncat_P(ntopic, PSTR("+/"), sizeof(ntopic));           // Add single-level wildcards
+      strncat_P(ntopic, PSTR("+/"), sizeof(ntopic) - strlen(ntopic) -1);           // Add single-level wildcards
       tp = strtok(NULL, "/");
     }
-    strncat(ntopic, Settings.mqtt_prefix[2], sizeof(ntopic));  // Subscribe to tele messages
-    strncat_P(ntopic, PSTR("/#"), sizeof(ntopic));             // Add multi-level wildcard
+    strncat(ntopic, Settings.mqtt_prefix[2], sizeof(ntopic) - strlen(ntopic) -1);  // Subscribe to tele messages
+    strncat_P(ntopic, PSTR("/#"), sizeof(ntopic) - strlen(ntopic) -1);             // Add multi-level wildcard
     MqttSubscribe(ntopic);
     disp_subscribed = 1;
   } else {
diff --git a/sonoff/xdsp_03_matrix.ino b/sonoff/xdsp_03_matrix.ino
index 7af998470..63222c637 100644
--- a/sonoff/xdsp_03_matrix.ino
+++ b/sonoff/xdsp_03_matrix.ino
@@ -251,7 +251,7 @@ void MatrixPrintLog(uint8_t direction)
           space = 0;
         }
         if (space < 2) {
-          strncat(mtx_buffer, (const char*)txt +i, 1);
+          strncat(mtx_buffer, (const char*)txt +i, (strlen(mtx_buffer) < sizeof(mtx_buffer) -1) ? 1 : 0);
         }
         i++;
       }
diff --git a/sonoff/xsns_34_hx711.ino b/sonoff/xsns_34_hx711.ino
index 0382efc12..400f0991e 100644
--- a/sonoff/xsns_34_hx711.ino
+++ b/sonoff/xsns_34_hx711.ino
@@ -496,10 +496,10 @@ boolean Xsns34(byte function)
         break;
 #ifdef USE_HX711_GUI
       case FUNC_WEB_ADD_MAIN_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_MAIN_HX711, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_MAIN_HX711, sizeof(mqtt_data) - strlen(mqtt_data) -1);
         break;
       case FUNC_WEB_ADD_BUTTON:
-        strncat_P(mqtt_data, HTTP_BTN_MENU_HX711, sizeof(mqtt_data));
+        strncat_P(mqtt_data, HTTP_BTN_MENU_HX711, sizeof(mqtt_data) - strlen(mqtt_data) -1);
         break;
       case FUNC_WEB_ADD_HANDLER:
         WebServer->on("/" WEB_HANDLE_HX711, HandleHxAction);
diff --git a/tools/decode-status.py b/tools/decode-status.py
index b1881865f..83077e5fd 100644
--- a/tools/decode-status.py
+++ b/tools/decode-status.py
@@ -132,7 +132,7 @@ a_features = [[
     "USE_MCP230xx","USE_MPR121","USE_CCS811","USE_MPU6050",
     "USE_MCP230xx_OUTPUT","USE_MCP230xx_DISPLAYOUTPUT","USE_HLW8012","USE_CSE7766",
     "USE_MCP39F501","USE_PZEM_AC","USE_DS3231","USE_HX711",
-    "USE_PZEM_DC","USE_TX20_WIND_SENSOR","","",
+    "USE_PZEM_DC","USE_TX20_WIND_SENSOR","USE_MGC3130","",
     "","","","",
     "","","","",
     "","","","",