From 92f83c0385281c1d1e7996fc76c071e782ea6939 Mon Sep 17 00:00:00 2001 From: "Jose M. Guisado" Date: Mon, 5 Jun 2023 18:12:24 +0200 Subject: client: harden og_resp_refresh Harden refresh response logic. Check for necessary JSON fields inside the payload. Check if serial_number is null before calling strlen, prevent ogServer from a malformed refresh response with missing serial_number. Refresh uses legacy function actualizaConfiguracion that takes a long string with the computers configuration (serialno, partitions, disks, link speed and status). Check for an empty string before executing any legacy code inside actualizaConfiguracion. --- src/ogAdmServer.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/ogAdmServer.c') diff --git a/src/ogAdmServer.c b/src/ogAdmServer.c index 8c6702f..6f4f704 100644 --- a/src/ogAdmServer.c +++ b/src/ogAdmServer.c @@ -52,6 +52,12 @@ bool actualizaConfiguracion(struct og_dbi *dbi, char *cfg, int ido) dbi_result result, result_update; const char *msglog; + if (cfg && strlen(cfg) == 0) { + syslog(LOG_ERR, "Empty configuration string (%s:%d)\n", + __func__, __LINE__); + return false; + } + lon = 0; p = splitCadena(ptrPar, cfg, '\n'); for (i = 0; i < p; i++) { -- cgit v1.2.3-18-g5258