For #1229, fix the security risk in logger. 3.0.69

ossrs · Dec 11, 2019 · 78da67e · 78da67e
1 parent ad70589
commit 78da67e
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -145,6 +145,7 @@ For previous versions, please read:
 
 ## V3 changes
 
+* v3.0, 2019-12-11, For [#1229][bug #1229], fix the security risk in logger. 3.0.69
 * v3.0, 2019-12-11, For [#1229][bug #1229], fix the security risk in HDS. 3.0.69
 * v3.0, 2019-12-05, Fix [#1506][bug #1501], support directly turn FLV timestamp to TS DTS. 3.0.68
 * <strong>v3.0, 2019-11-30, [3.0 alpha3(3.0.67)][r3.0a3] released. 110864 lines.</strong>

diff --git a/trunk/src/app/srs_app_log.cpp b/trunk/src/app/srs_app_log.cpp
@@ -192,7 +192,8 @@ void SrsFastLog::error(const char* tag, int context_id, const char* fmt, ...)
     va_end(ap);
 
     // add strerror() to error msg.
-    if (errno != 0) {
+    // Check size to avoid security issue https://github.com/ossrs/srs/issues/1229
+    if (errno != 0 && size < LOG_MAX_SIZE) {
         size += snprintf(log_data + size, LOG_MAX_SIZE - size, "(%s)", strerror(errno));
     }
 

diff --git a/trunk/src/core/srs_core.hpp b/trunk/src/core/srs_core.hpp
@@ -27,7 +27,7 @@
 // The version config.
 #define VERSION_MAJOR       3
 #define VERSION_MINOR       0
-#define VERSION_REVISION    68
+#define VERSION_REVISION    69
 
 // The macros generated by configure script.
 #include <srs_auto_headers.hpp>

diff --git a/trunk/src/service/srs_service_log.cpp b/trunk/src/service/srs_service_log.cpp
@@ -255,6 +255,12 @@ bool srs_log_header(char* buffer, int size, bool utc, bool dangerous, const char
                 level, getpid(), cid);
         }
     }
+
+    // Exceed the size, ignore this log.
+    // Check size to avoid security issue https://github.com/ossrs/srs/issues/1229
+    if (written >= size) {
+        return false;
+    }
 
     if (written == -1) {
         return false;

diff --git a/trunk/src/utest/srs_utest_core.cpp b/trunk/src/utest/srs_utest_core.cpp
@@ -64,9 +64,33 @@ VOID TEST(CoreMacroseTest, Check)
 #endif
 }
 
+#define _ARRAY_INIT(buf, sz, val) \
+    for (int i = 0; i < (int)sz; i++) buf[i]=val
+
 VOID TEST(CoreLogger, CheckVsnprintf)
 {
-    char buf[1024];
-    EXPECT_EQ(6, sprintf(buf, "%s", "Hello!"));
+    if (true) {
+        char buf[1024];
+        _ARRAY_INIT(buf, sizeof(buf), 0xf);
+
+        // Return the number of characters printed.
+        EXPECT_EQ(6, sprintf(buf, "%s", "Hello!"));
+        EXPECT_EQ('H', buf[0]);
+        EXPECT_EQ('!', buf[5]);
+        EXPECT_EQ(0x0, buf[6]);
+        EXPECT_EQ(0xf, buf[7]);
+    }
+
+    if (true) {
+        char buf[1024];
+        _ARRAY_INIT(buf, sizeof(buf), 0xf);
+
+        // Return the number of characters that would have been printed if the size were unlimited.
+        EXPECT_EQ(6, snprintf(buf, 3, "%s", "Hello!"));
+        EXPECT_EQ('H', buf[0]);
+        EXPECT_EQ('e', buf[1]);
+        EXPECT_EQ(0, buf[2]);
+        EXPECT_EQ(0xf, buf[3]);
+    }
 }