bug buffer overflow para resposta de comando grandes

2 years ago · 51f71f71a3
2 changed files with 55 additions and 35 deletions
--- a/10
+++ b/10
@ -28,8 +28,8 @@ $(DIR_OBJ)%.o: $(DIR_SRC)%.c


 install:$(NAME_LIBRARY)
-	install -m 0755 libami_c.so /usr/local/lib64/libami_c.so
-	@ln -s /usr/local/lib/libami_c.so /usr/local/lib64/libami_c.so
+	install -m 0755 libami_c.so /usr/lib64/libami_c.so
+	@ln -s /usr/lib64/libami_c.so /usr/local/lib/libami_c.so
 	install -m 0744 src/ami_c.h /usr/local/include/ami_c.h

 	$(info usar #include <ami_c.h>)
@ -50,9 +50,9 @@ clean:

 .PHONY: uninstall
 uninstall:
-	rm ${DESTDIR}/usr/local/lib/libami_c.so
-	rm ${DESTDIR}/usr/lib/libami_c.so
-	rm ${DESTDIR}/usr/local/include/ami_c.h
+	rm -f ${DESTDIR}/usr/local/lib/libami_c.so
+	rm -f ${DESTDIR}/usr/lib64/libami_c.so
+	rm -f ${DESTDIR}/usr/local/include/ami_c.h


 .PHONY: menu
--- a/src/net.c
+++ b/src/net.c
@ -10,7 +10,6 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <pthread.h>
-#include <stdio.h>


 /*!
@ -235,7 +234,7 @@ int ami_connect_ami(NET *net){
 	while(1){

 		if (connect(net->sock, (struct sockaddr *)&net->sock_addr, sizeof(struct sockaddr_in) ) == -1){
-			usleep( 100000 );
+			usleep( 50000 );
 			continue;
 		}

@ -275,8 +274,7 @@ static int ami_create_socket(NET *net){
 int ami_communication_ami(AMI *ami){

 	int bytes = 0;
-	char more_buffer[MAX_BUFFER_NET + MAX_BUFFER_NET];
-	char buffer_old[MAX_BUFFER_NET];
+	char *prev_buffer = NULL, *buffer = NULL;
 	int i = 0;
 	int timeout = 2;
 	int incomplete = 0;
@ -290,19 +288,20 @@ int ami_communication_ami(AMI *ami){
 			if(errno == EINTR){//EINTR 4 Interrupted system call
 				continue;
 			}
-			return -1;
+
+			goto fail;
 		}

 		if(pfd[0].revents & POLLHUP) { // Hang up
-			return -1;
+			goto fail;
 		}

 		if(pfd[0].revents & (POLLHUP| POLLERR)) { // Hang up
-			return -1;
+			goto fail;
 		}

 		if(pfd[0].revents & POLLERR) {
-			return -1;
+			goto fail;
 		}

 		if(pfd[0].revents & POLLPRI){
@ -313,25 +312,30 @@ int ami_communication_ami(AMI *ami){
 		else if(pfd[0].revents & POLLIN) {
 			char *buffer = NULL;

-			timeout = 2;
+			timeout = 1;
 			i = 0;

 			bytes = recv(ami->net.sock, ami->net.buffer_net, MAX_BUFFER_NET - 1, 0);
 			if(bytes == 0){
-				return -1;
+				goto fail;
 			}
 			ami->net.buffer_net[bytes] = '\0';

-			if( incomplete == 1){
-				strcpy( more_buffer, buffer_old );
-				strcat( more_buffer, ami->net.buffer_net );
-				buffer = more_buffer;
-				incomplete = 0;
+			buffer = calloc( 1, (prev_buffer == NULL ? 0 : strlen( prev_buffer) ) + strlen( ami->net.buffer_net ) + 1 );
+
+			/* prev_buffer -> pedaço de bloco incompleto */
+			if( prev_buffer ){
+				strcpy( buffer, prev_buffer );
+				strcat( buffer, ami->net.buffer_net );
+				free(prev_buffer);
 			}
 			else{
-				buffer = ami->net.buffer_net;
+				strcpy( buffer, ami->net.buffer_net);
 			}

+			prev_buffer = NULL;
+			incomplete = 0;
+
 			if( ami->asterisk.is_logged == 0 ){
 				if(!strncmp( buffer, "Asterisk Call", 12 )){
 					memset(ami->asterisk.welcome, 0, 64);
@ -349,9 +353,15 @@ int ami_communication_ami(AMI *ami){

 			if(ami->net.pause == 1){
 				incomplete = 0;
+				free( buffer );
+				buffer = NULL;
+
+				free(prev_buffer);
+				prev_buffer = NULL;
 				continue;
 			}

+			/* analisar o conteúdo recebido */
 			char *block = NULL;
 			block = define_block(buffer, &buffer);
 			while(block){
@ -363,33 +373,43 @@ int ami_communication_ami(AMI *ami){
 				}

 				if(incomplete == 1){
-					strcpy( buffer_old, block );
+					prev_buffer = calloc(1, strlen(block) + 1);
+					strcpy( prev_buffer, block );
+
 				}

 				block = define_block(NULL, &buffer); // próximo bloco
 			}
+
+			free(buffer);
+			buffer = NULL;
 		}
 		else{
-			// 2 * 200 = 400 = 0.4 seconds
-			if( i > 200 ){
-				timeout = 100;
-			}
-
-			// 100 * 4 = 400
-			if( i >= 203 ){
-				usleep(100000); // sleep 0.1 segundos
+			// 1500 milisegundos = 1,5 segundos; timeout(1) = 0,001 segundos
+			if( i <= 1500 ){
+				timeout = 1; // esse valor também é definido quando entra no POLLIN
 			}

-			if( i >= 208 ){
-				usleep(200000);
+			// Acima de 1500(1,5 segundos) = timeout(100) = 0,1 
+			if( i > 1500 ){
+				timeout = 100
 			}

-			if(i < 240){
-				++i;
-			}
+			++i;
 		}
 	}

 	return 0;
+
+fail:
+	if(prev_buffer){
+		free(prev_buffer);
+	}
+
+	if(buffer){
+		free(buffer);
+	}
+
+	return -1;
 }