From b36da99cffb20338fdf5cfef3bce9f202b3a4cf1 Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Thu, 19 Apr 2018 15:30:26 +0200 Subject: Use secure strlen Signed-off-by: Szczepan Zalega --- NitrokeyManager.cc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/NitrokeyManager.cc b/NitrokeyManager.cc index 085bf78..6a89a5b 100644 --- a/NitrokeyManager.cc +++ b/NitrokeyManager.cc @@ -51,6 +51,8 @@ char * strndup(const char* str, size_t maxlen){ #endif #endif +static const int user_tmp_pass_maxlen = 30; + using nitrokey::misc::strcpyT; template @@ -397,13 +399,14 @@ using nitrokey::misc::strcpyT; return s.str(); } - string NitrokeyManager::get_HOTP_code(uint8_t slot_number, const char *user_temporary_password) { + + string NitrokeyManager::get_HOTP_code(uint8_t slot_number, const char *user_temporary_password) { if (!is_valid_hotp_slot_number(slot_number)) throw InvalidSlotException(slot_number); if (is_authorization_command_supported()){ auto gh = get_payload(); gh.slot_number = get_internal_slot_number_for_hotp(slot_number); - if(user_temporary_password != nullptr && strlen(user_temporary_password)!=0){ //FIXME use string instead of strlen + if(user_temporary_password != nullptr && strnlen(user_temporary_password, user_tmp_pass_maxlen) != 0){ //FIXME use string instead of strlen authorize_packet(gh, user_temporary_password, device); } auto resp = GetHOTP::CommandTransaction::run(device, gh); @@ -411,7 +414,7 @@ using nitrokey::misc::strcpyT; } else { auto gh = get_payload(); gh.slot_number = get_internal_slot_number_for_hotp(slot_number); - if(user_temporary_password != nullptr && strlen(user_temporary_password)!=0) { + if(user_temporary_password != nullptr && strnlen(user_temporary_password, user_tmp_pass_maxlen) != 0) { //FIXME use strnlen instead of strlen strcpyT(gh.temporary_user_password, user_temporary_password); } auto resp = stick10_08::GetHOTP::CommandTransaction::run(device, gh); @@ -440,7 +443,7 @@ using nitrokey::misc::strcpyT; gt.last_interval = last_interval; gt.last_totp_time = last_totp_time; - if(user_temporary_password != nullptr && strlen(user_temporary_password)!=0){ //FIXME use string instead of strlen + if(user_temporary_password != nullptr && strnlen(user_temporary_password, user_tmp_pass_maxlen) != 0){ //FIXME use string instead of strlen authorize_packet(gt, user_temporary_password, device); } auto resp = GetTOTP::CommandTransaction::run(device, gt); -- cgit v1.2.3