For #1229, fix the security risk in logger. 3.0.69

2025-03-09 15:49:59 +00:00 · 2019-12-11 11:56:00 +08:00 · 2019-12-11 11:56:00 +08:00 · 78da67e8d1
commit 78da67e8d1
parent ad70589347
5 changed files with 36 additions and 4 deletions
--- a/trunk/src/app/srs_app_log.cpp
+++ b/trunk/src/app/srs_app_log.cpp
@ -192,7 +192,8 @@ void SrsFastLog::error(const char* tag, int context_id, const char* fmt, ...)
    va_end(ap);
    
    // add strerror() to error msg.
-    if (errno != 0) {
+    // Check size to avoid security issue https://github.com/ossrs/srs/issues/1229
+    if (errno != 0 && size < LOG_MAX_SIZE) {
        size += snprintf(log_data + size, LOG_MAX_SIZE - size, "(%s)", strerror(errno));
    }
    
--- a/trunk/src/core/srs_core.hpp
+++ b/trunk/src/core/srs_core.hpp
@ -27,7 +27,7 @@
 // The version config.
 #define VERSION_MAJOR       3
 #define VERSION_MINOR       0
-#define VERSION_REVISION    68
+#define VERSION_REVISION    69

 // The macros generated by configure script.
 #include <srs_auto_headers.hpp>
--- a/trunk/src/service/srs_service_log.cpp
+++ b/trunk/src/service/srs_service_log.cpp
@ -255,6 +255,12 @@ bool srs_log_header(char* buffer, int size, bool utc, bool dangerous, const char
                level, getpid(), cid);
        }
    }
+
+    // Exceed the size, ignore this log.
+    // Check size to avoid security issue https://github.com/ossrs/srs/issues/1229
+    if (written >= size) {
+        return false;
+    }
    
    if (written == -1) {
        return false;
--- a/trunk/src/utest/srs_utest_core.cpp
+++ b/trunk/src/utest/srs_utest_core.cpp
@ -64,9 +64,33 @@ VOID TEST(CoreMacroseTest, Check)
 #endif
 }

+#define _ARRAY_INIT(buf, sz, val) \
+    for (int i = 0; i < (int)sz; i++) buf[i]=val
+
 VOID TEST(CoreLogger, CheckVsnprintf)
 {
-    char buf[1024];
-    EXPECT_EQ(6, sprintf(buf, "%s", "Hello!"));
+    if (true) {
+        char buf[1024];
+        _ARRAY_INIT(buf, sizeof(buf), 0xf);
+
+        // Return the number of characters printed.
+        EXPECT_EQ(6, sprintf(buf, "%s", "Hello!"));
+        EXPECT_EQ('H', buf[0]);
+        EXPECT_EQ('!', buf[5]);
+        EXPECT_EQ(0x0, buf[6]);
+        EXPECT_EQ(0xf, buf[7]);
+    }
+
+    if (true) {
+        char buf[1024];
+        _ARRAY_INIT(buf, sizeof(buf), 0xf);
+
+        // Return the number of characters that would have been printed if the size were unlimited.
+        EXPECT_EQ(6, snprintf(buf, 3, "%s", "Hello!"));
+        EXPECT_EQ('H', buf[0]);
+        EXPECT_EQ('e', buf[1]);
+        EXPECT_EQ(0, buf[2]);
+        EXPECT_EQ(0xf, buf[3]);
+    }
 }