From 92f83c0385281c1d1e7996fc76c071e782ea6939 Mon Sep 17 00:00:00 2001 From: "Jose M. Guisado" Date: Mon, 5 Jun 2023 18:12:24 +0200 Subject: client: harden og_resp_refresh Harden refresh response logic. Check for necessary JSON fields inside the payload. Check if serial_number is null before calling strlen, prevent ogServer from a malformed refresh response with missing serial_number. Refresh uses legacy function actualizaConfiguracion that takes a long string with the computers configuration (serialno, partitions, disks, link speed and status). Check for an empty string before executing any legacy code inside actualizaConfiguracion. --- src/client.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/client.c') diff --git a/src/client.c b/src/client.c index 36e2565..67c6a2e 100644 --- a/src/client.c +++ b/src/client.c @@ -420,6 +420,10 @@ static int og_resp_refresh(json_t *data, struct og_client *cli) if (link) cli->speed = link; + /* + * status is the only received field when the response is coming from a + * client using linux/windows mode. + */ if (status) { if (!strncmp(status, "LINUX", strlen("LINUX"))) { cli->status = OG_CLIENT_STATUS_LINUX; @@ -429,7 +433,7 @@ static int og_resp_refresh(json_t *data, struct og_client *cli) return 0; } - if (strlen(serial_number) > 0) + if (serial_number && strlen(serial_number) > 0) snprintf(cfg, sizeof(cfg), "ser=%s\n", serial_number); for (i = 0; i < OG_DISK_MAX; i++) { -- cgit v1.2.3-18-g5258