From 9e0d97d2e24b1d3999069c1ce5d699482f590c04 Mon Sep 17 00:00:00 2001 From: Xavier Del Campo Date: Sat, 11 Sep 2021 00:50:04 +0200 Subject: [PATCH] at.c: use snprintf(3) snprintf(3) is preferred over insecure sprintf(3) in order to avoid buffer overrun vulnerabilities. --- src/at.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/at.c b/src/at.c index ff77fbc..168f572 100644 --- a/src/at.c +++ b/src/at.c @@ -58,15 +58,21 @@ gboolean at_send_command(struct EG25Manager *manager) /* Send AT command */ if (at_cmd->subcmd == NULL && at_cmd->value == NULL && at_cmd->expected == NULL) - len = sprintf(command, "AT+%s\r\n", at_cmd->cmd); + len = snprintf(command, sizeof(command), "AT+%s\r\n", at_cmd->cmd); else if (at_cmd->subcmd == NULL && at_cmd->value == NULL) - len = sprintf(command, "AT+%s?\r\n", at_cmd->cmd); + len = snprintf(command, sizeof(command), "AT+%s?\r\n", at_cmd->cmd); else if (at_cmd->subcmd == NULL && at_cmd->value) - len = sprintf(command, "AT+%s=%s\r\n", at_cmd->cmd, at_cmd->value); + len = snprintf(command, sizeof(command),"AT+%s=%s\r\n", at_cmd->cmd, at_cmd->value); else if (at_cmd->subcmd && at_cmd->value == NULL) - len = sprintf(command, "AT+%s=\"%s\"\r\n", at_cmd->cmd, at_cmd->subcmd); + len = snprintf(command, sizeof(command), "AT+%s=\"%s\"\r\n", at_cmd->cmd, at_cmd->subcmd); else if (at_cmd->subcmd && at_cmd->value) - len = sprintf(command, "AT+%s=\"%s\",%s\r\n", at_cmd->cmd, at_cmd->subcmd, at_cmd->value); + len = snprintf(command, sizeof(command), "AT+%s=\"%s\",%s\r\n", at_cmd->cmd, at_cmd->subcmd, at_cmd->value); + + if (len < 0 || len >= sizeof(command)) { + g_warning("AT command does not fit into buffer\n"); + return FALSE; + } + manager->at_callback = at_cmd->callback; ret = write(manager->at_fd, command, len);