device.c track length of buffer when buidling xml

As we are building up the xml, keep track of the length of the (remaining) buffer, and check it at the end to make sure we didn't overflow. This does change the max length of the channel xml description from MAX_size_t to MAX_ssize_t. Worse case, that is from 64k to 32k. The C spec defines the minimum size_t to 16-bits. Nominally, on most modern compilers (where size_t is 32-bits) this would reduce things from 4G to 2G. On Pluto, the largest is 8884 bytes, M2k is 17062, so, even 32k seems pretty large. Signed-off-by: Robin Getz <[email protected]>
analogdevicesinc · Apr 22, 2020 · 8c83eae · 8c83eae
1 parent eed04bd
commit 8c83eae
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/device.c b/device.c
@@ -65,12 +65,18 @@ static char *get_attr_xml(const char *attr, size_t *length, enum iio_attr_type t
 /* Returns a string containing the XML representation of this device */
 char * iio_device_get_xml(const struct iio_device *dev, size_t *length)
 {
-	size_t len = sizeof("<device id=\"\" name=\"\" ></device>")
-		+ strlen(dev->id) + (dev->name ? strlen(dev->name) : 0);
-	char *ptr, *str, **attrs, **channels, **buffer_attrs, **debug_attrs;
+	ssize_t len;
+	char *ptr, *eptr, *str, **attrs, **channels, **buffer_attrs, **debug_attrs;
 	size_t *attrs_len, *channels_len, *buffer_attrs_len, *debug_attrs_len;
 	unsigned int i, j, k;
 
+	len = sizeof("<device id=\"\" ></device> ") - 1;
+	len += strnlen(dev->id, MAX_DEV_ID);
+	if (dev->name) {
+		len += sizeof(" name=\"\"") - 1;
+		len += strnlen(dev->name, MAX_DEV_NAME);
+	}
+
 	attrs_len = malloc(dev->nb_attrs * sizeof(*attrs_len));
 	if (!attrs_len)
 		return NULL;
@@ -143,21 +149,26 @@ char * iio_device_get_xml(const struct iio_device *dev, size_t *length)
 	str = malloc(len);
 	if (!str)
 		goto err_free_debug_attrs;
+	eptr = str + len;
 
 	iio_snprintf(str, len, "<device id=\"%s\"", dev->id);
 	ptr = strrchr(str, '\0');
+	len = eptr - ptr;
 
 	if (dev->name) {
 		sprintf(ptr, " name=\"%s\"", dev->name);
 		ptr = strrchr(ptr, '\0');
+		len = eptr - ptr;
 	}
 
 	strcpy(ptr, " >");
 	ptr += 2;
+	len -= 2;
 
 	for (i = 0; i < dev->nb_channels; i++) {
 		strcpy(ptr, channels[i]);
 		ptr += channels_len[i];
+		len -= channels_len[i];
 		free(channels[i]);
 	}
 
@@ -167,6 +178,7 @@ char * iio_device_get_xml(const struct iio_device *dev, size_t *length)
 	for (i = 0; i < dev->nb_attrs; i++) {
 		strcpy(ptr, attrs[i]);
 		ptr += attrs_len[i];
+		len -= attrs_len[i];
 		free(attrs[i]);
 	}
 
@@ -176,6 +188,7 @@ char * iio_device_get_xml(const struct iio_device *dev, size_t *length)
 	for (i = 0; i < dev->nb_buffer_attrs; i++) {
 		strcpy(ptr, buffer_attrs[i]);
 		ptr += buffer_attrs_len[i];
+		len -= buffer_attrs_len[i];
 		free(buffer_attrs[i]);
 	}
 
@@ -185,14 +198,24 @@ char * iio_device_get_xml(const struct iio_device *dev, size_t *length)
 	for (i = 0; i < dev->nb_debug_attrs; i++) {
 		strcpy(ptr, debug_attrs[i]);
 		ptr += debug_attrs_len[i];
+		len -= debug_attrs_len[i];
 		free(debug_attrs[i]);
 	}
 
 	free(debug_attrs);
 	free(debug_attrs_len);
 
 	strcpy(ptr, "</device>");
+	len -= sizeof("</device>") - 1;
+
 	*length = ptr - str + sizeof("</device>") - 1;
+
+	if (len < 0) {
+		IIO_ERROR("Internal libIIO error: iio_device_get_xml str length isssue\n");
+		free(str);
+		return NULL;
+	}
+
 	return str;
 
 err_free_debug_attrs:

diff --git a/iio-private.h b/iio-private.h
@@ -63,6 +63,8 @@
 /* 256 is the MAX_NAME (file name) on Linux, 4096 is PAGESIZE */
 #define MAX_CHN_ID 256 /* encoded in the sysfs filename */
 #define MAX_CHN_NAME 256 /* encoded in the sysfs filename */
+#define MAX_DEV_ID 256 /* encoded in the sysfs filename */
+#define MAX_DEV_NAME 256 /* encoded in the sysfs filename */
 
 /* ntohl/htonl are a nightmare to use in cross-platform applications,
  * since they are defined in different headers on different platforms.