From 32e77a5253a59a8708913690cc0ea327fb60a615 Mon Sep 17 00:00:00 2001 From: Avinash Sonawane Date: Tue, 24 Oct 2023 06:26:40 +0530 Subject: [PATCH] Replace sprintf() with safer snprintf() PR #4373 Co-authored-by: Romain Vimont Signed-off-by: Romain Vimont --- app/src/adb/adb.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/app/src/adb/adb.c b/app/src/adb/adb.c index b248b8ed..54375451 100644 --- a/app/src/adb/adb.c +++ b/app/src/adb/adb.c @@ -218,8 +218,16 @@ sc_adb_forward(struct sc_intr *intr, const char *serial, uint16_t local_port, const char *device_socket_name, unsigned flags) { char local[4 + 5 + 1]; // tcp:PORT char remote[108 + 14 + 1]; // localabstract:NAME - sprintf(local, "tcp:%" PRIu16, local_port); - snprintf(remote, sizeof(remote), "localabstract:%s", device_socket_name); + + int r = snprintf(local, sizeof(local), "tcp:%" PRIu16, local_port); + assert(r >= 0 && (size_t) r < sizeof(local)); + + r = snprintf(remote, sizeof(remote), "localabstract:%s", + device_socket_name); + if (r < 0 || (size_t) r >= sizeof(remote)) { + LOGE("Could not write socket name"); + return false; + } assert(serial); const char *const argv[] = @@ -233,7 +241,9 @@ bool sc_adb_forward_remove(struct sc_intr *intr, const char *serial, uint16_t local_port, unsigned flags) { char local[4 + 5 + 1]; // tcp:PORT - sprintf(local, "tcp:%" PRIu16, local_port); + int r = snprintf(local, sizeof(local), "tcp:%" PRIu16, local_port); + assert(r >= 0 && (size_t) r < sizeof(local)); + (void) r; assert(serial); const char *const argv[] = @@ -249,8 +259,16 @@ sc_adb_reverse(struct sc_intr *intr, const char *serial, unsigned flags) { char local[4 + 5 + 1]; // tcp:PORT char remote[108 + 14 + 1]; // localabstract:NAME - sprintf(local, "tcp:%" PRIu16, local_port); - snprintf(remote, sizeof(remote), "localabstract:%s", device_socket_name); + int r = snprintf(local, sizeof(local), "tcp:%" PRIu16, local_port); + assert(r >= 0 && (size_t) r < sizeof(local)); + + r = snprintf(remote, sizeof(remote), "localabstract:%s", + device_socket_name); + if (r < 0 || (size_t) r >= sizeof(remote)) { + LOGE("Could not write socket name"); + return false; + } + assert(serial); const char *const argv[] = SC_ADB_COMMAND("-s", serial, "reverse", remote, local); @@ -263,7 +281,12 @@ bool sc_adb_reverse_remove(struct sc_intr *intr, const char *serial, const char *device_socket_name, unsigned flags) { char remote[108 + 14 + 1]; // localabstract:NAME - snprintf(remote, sizeof(remote), "localabstract:%s", device_socket_name); + int r = snprintf(remote, sizeof(remote), "localabstract:%s", + device_socket_name); + if (r < 0 || (size_t) r >= sizeof(remote)) { + LOGE("Device socket name too long"); + return false; + } assert(serial); const char *const argv[] = @@ -333,7 +356,9 @@ bool sc_adb_tcpip(struct sc_intr *intr, const char *serial, uint16_t port, unsigned flags) { char port_string[5 + 1]; - sprintf(port_string, "%" PRIu16, port); + int r = snprintf(port_string, sizeof(port_string), "%" PRIu16, port); + assert(r >= 0 && (size_t) r < sizeof(port_string)); + (void) r; assert(serial); const char *const argv[] =