client: harden og_resp_refresh

Harden refresh response logic. Check for necessary JSON fields inside the payload. Check if serial_number is null before calling strlen, prevent ogServer from a malformed refresh response with missing serial_number. Refresh uses legacy function actualizaConfiguracion that takes a long string with the computers configuration (serialno, partitions, disks, link speed and status). Check for an empty string before executing any legacy code inside actualizaConfiguracion.
2023-06-05 18:12:24 +02:00 · 2023-06-05 18:12:24 +02:00 · 92f83c0385
parent 8cf02475ba
commit 92f83c0385
2 changed files with 11 additions and 1 deletions
--- a/src/client.c
+++ b/src/client.c
@ -420,6 +420,10 @@ static int og_resp_refresh(json_t *data, struct og_client *cli)
 	if (link)
 		cli->speed = link;

+	/*
+	 * status is the only received field when the response is coming from a
+	 * client using linux/windows mode.
+	 */
 	if (status) {
 		if (!strncmp(status, "LINUX", strlen("LINUX"))) {
 			cli->status = OG_CLIENT_STATUS_LINUX;
@ -429,7 +433,7 @@ static int og_resp_refresh(json_t *data, struct og_client *cli)
 		return 0;
 	}

-	if (strlen(serial_number) > 0)
+	if (serial_number && strlen(serial_number) > 0)
 		snprintf(cfg, sizeof(cfg), "ser=%s\n", serial_number);

 	for (i = 0; i < OG_DISK_MAX; i++) {
--- a/src/ogAdmServer.c
+++ b/src/ogAdmServer.c
@ -52,6 +52,12 @@ bool actualizaConfiguracion(struct og_dbi *dbi, char *cfg, int ido)
 	dbi_result result, result_update;
 	const char *msglog;

+	if (cfg && strlen(cfg) == 0) {
+		syslog(LOG_ERR, "Empty configuration string (%s:%d)\n",
+				__func__, __LINE__);
+		return false;
+	}
+
 	lon = 0;
 	p = splitCadena(ptrPar, cfg, '\n');
 	for (i = 0; i < p; i++) {