Merge 7815be8741 into 99ab67143a

bcmserver: fix buffer overflow

bcmserver.c

@@ -153,7 +153,7 @@ int main(void)
 
 	char buf[MAXLEN];
 	char format[FORMATSZ];
-	char rxmsg[50];
+	char rxmsg[64];
 
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wpragmas"
@@ -234,7 +234,7 @@ int main(void)
 	}
 
 	while (1) {
-
+again:
 		FD_ZERO(&readfds);
 		FD_SET(sc, &readfds);
 		FD_SET(sa, &readfds);
@@ -242,6 +242,8 @@ int main(void)
 		select((sc > sa)?sc+1:sa+1, &readfds, NULL, NULL, NULL);
 
 		if (FD_ISSET(sc, &readfds)) {
+			size_t size = sizeof(rxmsg);
+			int len = 0, res;
 
 			recvfrom(sc, &msg, sizeof(msg), 0,
 				 (struct sockaddr*)&caddr, &caddrlen);
@@ -249,17 +251,35 @@ int main(void)
 			ifr.ifr_ifindex = caddr.can_ifindex;
 			ioctl(sc, SIOCGIFNAME, &ifr);
 
-			sprintf(rxmsg, "< %s %03X %d ", ifr.ifr_name,
-				msg.msg_head.can_id, msg.frame.can_dlc);
+			res = snprintf(rxmsg, size, "< %s %03X %d ", ifr.ifr_name,
+				       msg.msg_head.can_id, msg.frame.can_dlc);
+			if (res < 0 || (size_t)res >= size) {
+				printf("Error: rxmsg buffer (size %zu) too small for data.\n", size);
+				continue;
+			}
 
-			for ( i = 0; i < msg.frame.can_dlc; i++)
-				sprintf(rxmsg + strlen(rxmsg), "%02X ",
-					msg.frame.data[i]);
+			len += res;
+
+			for (i = 0; i < msg.frame.can_dlc; i++) {
+				res = snprintf(rxmsg + len, size - len, "%02X ", msg.frame.data[i]);
+				if (res < 0 || (size_t)res >= (size - len)) {
+					printf("Error: rxmsg buffer (size %zu) too small for data.\n", size);
+					goto again;
+				}
+
+				len += res;
+			}
 
 			/* delimiter '\0' for Adobe(TM) Flash(TM) XML sockets */
-			strcat(rxmsg, ">\0");
+			res = snprintf(rxmsg + len, size - len, ">");
+			if (res < 0 || (size_t)res >= (size - len)) {
+				printf("Error: rxmsg buffer (size %zu) too small for data.\n", size);
+				continue;
+			}
 
-			send(sa, rxmsg, strlen(rxmsg) + 1, 0);
+			len += res;
+
+			send(sa, rxmsg, len + 1, 0);
 		}
 
 

canerrsim.c

@@ -25,6 +25,7 @@
 #include <linux/can/error.h>
 #include <linux/can/raw.h>
 #include <net/if.h>
+#include <stdarg.h>
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
@@ -122,27 +123,25 @@ void show_help_and_exit()
 	exit(EXIT_SUCCESS);
 }
 
-void err_exit(const char *msg)
+void __attribute__((format (printf, 1, 2))) err_exit(const char *format, ...)
 {
-	printf("%s", msg);
-	exit(EXIT_FAILURE);
-}
+	va_list ap;
 
-void show_custom_format_and_exit(const char *param, const char *format)
-{
-	char str_buf[80];
-	sprintf(str_buf, format, param);
-	err_exit(str_buf);
+	va_start(ap, format);
+	vfprintf(stdout, format, ap);
+	va_end(ap);
+
+	exit(EXIT_FAILURE);
 }
 
 void show_invalid_option(const char *option)
 {
-	show_custom_format_and_exit(option, "Error: Invalid option %s\n");
+	err_exit("Error: Invalid option %s\n", option);
 }
 
 void show_err_and_exit(const char *err_type)
 {
-	show_custom_format_and_exit(err_type, "Error: You can only have one %s parameter!\n");
+	err_exit("Error: You can only have one %s parameter!\n", err_type);
 }
 
 void show_loc_err_and_exit()
@@ -176,7 +175,6 @@ int main(int argc, char *argv[])
 	struct ifreq ifr;
 	struct can_frame frame;
 	bool show_bits = false, location_processed = false, transceiver_processed = false, arbitration_processed = false;
-	char tmp_str[256];
 
 	printf("CAN Sockets Error Messages Simulator\n");
 	if (argc < 3)
@@ -537,24 +535,25 @@ int main(int argc, char *argv[])
 
 	// create socket
 	if ((sock = socket(PF_CAN, SOCK_RAW, CAN_RAW)) < 0)
-		err_exit("Error while opening socket");
+		err_exit("Error while opening socket\n");
 
 	// set interface name
+	if (strlen(argv[1]) >= IFNAMSIZ)
+		err_exit("Name of CAN device '%s' is too long!\n\n", argv[1]);
+
 	strcpy(ifr.ifr_name, argv[1]); // can0, vcan0...
-	if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0) {
-		sprintf(tmp_str, "Error setting CAN interface name %s", argv[1]);
-		err_exit(tmp_str);
-	}
+	if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0)
+		err_exit("Error setting CAN interface name %s\n", argv[1]);
 
 	// bind socket to the CAN interface
 	addr.can_family = AF_CAN;
 	addr.can_ifindex = ifr.ifr_ifindex;
 	if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
-		err_exit("Error in socket bind");
+		err_exit("Error in socket bind\n");
 
 	// Send CAN error frame
 	if (write(sock, &frame, sizeof(frame)) < 0)
-		err_exit("Error writing to socket");
+		err_exit("Error writing to socket\n");
 	else
 		printf("CAN error frame sent\n");
 

cangen.c

@@ -867,7 +867,14 @@ int main(int argc, char **argv)
 	if (ret)
 		return 1;
 
+	int k[] = {1,2};
+	int j = 0;
 	while (running) {
+		ts_gap = double_to_timespec((k[j%2])/1000.0);
+		// printf("%lu, %lu\n", ts_gap.tv_sec, ts_gap.tv_nsec);
+		setsockopt_txtime(s);
+		setup_time();
+		j++;
 		/* clear values but preserve cu.fd.len */
 		cu.fd.flags = 0;
 		cu.fd.__res0 = 0;

canplayer.c

@@ -48,6 +48,7 @@
 #include <string.h>
 #include <time.h>
 #include <unistd.h>
+#include <stdbool.h>
 
 #include <linux/can.h>
 #include <linux/can/raw.h>
@@ -89,6 +90,12 @@ const int canfx_on = 1;
 
 extern int optind, opterr, optopt;
 
+struct sleep {
+	struct timeval *sleep_vector;
+	size_t idx;
+	size_t size;
+};
+
 static void print_usage(char *prg)
 {
 	fprintf(stderr, "%s - replay a compact CAN frame logfile to CAN devices.\n", prg);
@@ -117,6 +124,8 @@ static void print_usage(char *prg)
 			"loopback of sent CAN frames)\n");
 	fprintf(stderr, "         -v           (verbose: print "
 			"sent CAN frames)\n");
+	fprintf(stderr, "         -r           (real-time: send "
+			"CAN frames in real-time)\n");
 	fprintf(stderr, "         -h           (show "
 			"this help message)\n\n");
 	fprintf(stderr, "Interface assignment:\n");
@@ -280,8 +289,11 @@ int main(int argc, char **argv)
 	int eof, txmtu, i, j;
 	char *fret;
 	unsigned long long sec, usec;
+	bool gap_from_file = false;
+	struct sleep timestamps;
+	struct timeval send_time, act_time, init_trace, init_time;
 
-	while ((opt = getopt(argc, argv, "I:l:tin:g:s:xvh")) != -1) {
+	while ((opt = getopt(argc, argv, "I:l:tin:g:s:xvrh")) != -1) {
 		switch (opt) {
 		case 'I':
 			infile = fopen(optarg, "r");
@@ -336,6 +348,17 @@ int main(int argc, char **argv)
 			verbose++;
 			break;
 
+		case 'r':
+			if (isatty(fileno(infile))) {
+				fprintf(stderr, "Specify an input file for option -r !\n");
+				exit(EXIT_FAILURE);
+			}
+			gap_from_file = true; /* using time delta from file */
+			init_trace.tv_sec = 0;
+			init_trace.tv_usec = 0;
+			timestamps.idx = 0; /*to avoid warning accessing idx variable*/
+			break;
+
 		case 'h':
 			print_usage(basename(argv[0]));
 			exit(EXIT_SUCCESS);
@@ -368,8 +391,10 @@ int main(int argc, char **argv)
 		printf("interactive mode: press ENTER to process next CAN frame ...\n");
 	}
 
-	sleep_ts.tv_sec = gap / 1000;
-	sleep_ts.tv_nsec = (gap % 1000) * 1000000;
+	if (!gap_from_file) {
+		sleep_ts.tv_sec = gap / 1000;
+		sleep_ts.tv_nsec = (gap % 1000) * 1000000;
+	}
 
 	/* open socket */
 	if ((s = socket(PF_CAN, SOCK_RAW, CAN_RAW)) < 0) {
@@ -553,6 +578,26 @@ int main(int argc, char **argv)
 				}
 				log_tv.tv_sec = sec;
 
+				if (gap_from_file){
+					if (timestamps.idx == 0){
+						gettimeofday(&init_time, NULL);
+						if (log_tv.tv_sec > 0 || log_tv.tv_usec > 0)
+							init_trace = log_tv;
+					}
+					timersub(&log_tv, &init_trace, &send_time);
+
+					if (timestamps.idx > 0){
+						gettimeofday(&act_time, NULL);
+						timersub(&act_time, &init_time, &act_time);
+
+						while (timercmp(&act_time, &send_time, <)){
+							gettimeofday(&act_time, NULL);
+							timersub(&act_time, &init_time, &act_time);
+						}
+					}
+					timestamps.idx++;
+				}
+
 				/*
 				 * ensure the fractions of seconds are 6 or 9 decimal places long to catch
 				 * 3rd party or handcrafted logfiles that treat the timestamp as float
@@ -582,7 +627,7 @@ int main(int argc, char **argv)
 
 			} /* while frames_to_send ... */
 
-			if (nanosleep(&sleep_ts, NULL))
+			if (!gap_from_file && nanosleep(&sleep_ts, NULL))
 				return 1;
 
 			delay_loops++; /* private statistics */