From 234e72f0adedf26cea5a350876dab636d6245ba3 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 13 Mar 2018 18:54:08 +0100
Subject: [PATCH] stroke: Ensure a minimum message length

Also includes f44b1eb4447085cff350bcd89dbcd080347b91f8 to terminate the
message strings.
---
 src/libcharon/plugins/stroke/stroke_socket.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 88f73f3b04bd..39586dc3c489 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -588,9 +588,14 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 		}
 		return FALSE;
 	}
+	if (len < offsetof(stroke_msg_t, buffer))
+	{
+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
+		return FALSE;
+	}
 
-	/* read message */
-	msg = malloc(len);
+	/* read message (we need an additional byte to terminate the buffer) */
+	msg = malloc(len + 1);
 	msg->length = len;
 	if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
 	{
@@ -601,6 +606,9 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 		free(msg);
 		return FALSE;
 	}
+	/* make sure even incorrectly unterminated strings don't extend over the
+	 * message boundaries */
+	((char*)msg)[len] = '\0';
 
 	DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);
 
-- 
2.7.4