Fix command Scale buffer overflow

Fix command Scale buffer overflow (#3236)
2018-07-16 12:37:49 +02:00 · 2018-07-16 12:37:49 +02:00 · 9ef10f24d2
parent b56961c528
commit 9ef10f24d2
2 changed files with 19 additions and 26 deletions
--- a/sonoff/_changelog.ino
+++ b/sonoff/_changelog.ino
@ -1,4 +1,5 @@
 /* 6.1.1b
+ * Fix command Scale buffer overflow (#3236)
 * Fix rules once regression from v6.1.0 (#3198, #3226)
 * Add default Wifi Configuration tool as define WIFI_CONFIG_NO_SSID in user_config.h if no SSID is configured (#3224)
 * Add user selection of Wifi Smartconfig as define USE_SMARTCONFIG in user_config.h
--- a/sonoff/xdrv_10_rules.ino
+++ b/sonoff/xdrv_10_rules.ino
@ -557,44 +557,38 @@ boolean RulesCommand()
    snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, Settings.mems[index -1]);
  }
  else if ((CMND_ADD == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ) {
+    if (XdrvMailbox.data_len > 0) {
      double tempvar = CharToDouble(vars[index -1]) + CharToDouble(XdrvMailbox.data);
-      dtostrfd(tempvar,2,vars[index -1]);
+      dtostrfd(tempvar, 2, vars[index -1]);
    }
    snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
  }
  else if ((CMND_SUB == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ){
+    if (XdrvMailbox.data_len > 0) {
      double tempvar = CharToDouble(vars[index -1]) - CharToDouble(XdrvMailbox.data);
-      dtostrfd(tempvar,2,vars[index -1]);
+      dtostrfd(tempvar, 2, vars[index -1]);
    }
    snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
  }
  else if ((CMND_MULT == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ){
+    if (XdrvMailbox.data_len > 0) {
      double tempvar = CharToDouble(vars[index -1]) * CharToDouble(XdrvMailbox.data);
-      dtostrfd(tempvar,2,vars[index -1]);
+      dtostrfd(tempvar, 2, vars[index -1]);
    }
    snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
  }
  else if ((CMND_SCALE == command_code) && (index > 0) && (index <= RULES_MAX_VARS)) {
-    if ( XdrvMailbox.data_len > 0 ) {
+    if (XdrvMailbox.data_len > 0) {
      if (strstr(XdrvMailbox.data, ",")) {     // Process parameter entry
-        double value = 0;
-        double valueIN = 0;
-        double fromLow = 0;
-        double fromHigh = 0;
-        double toLow = 0;
-        double toHigh = 0;
+        char sub_string[XdrvMailbox.data_len +1];

-        valueIN = CharToDouble(subStr(XdrvMailbox.data, ",", 1));
-        fromLow = CharToDouble(subStr(XdrvMailbox.data, ",", 2));
-        fromHigh = CharToDouble(subStr(XdrvMailbox.data, ",", 3));
-        toLow = CharToDouble(subStr(XdrvMailbox.data, ",", 4));
-        toHigh = CharToDouble(subStr(XdrvMailbox.data, ",", 5));
-
-        value = map_double(valueIN, fromLow, fromHigh, toLow, toHigh);
-        dtostrfd(value,2,vars[index -1]);
+        double valueIN = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 1));
+        double fromLow = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 2));
+        double fromHigh = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 3));
+        double toLow = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 4));
+        double toHigh = CharToDouble(subStr(sub_string, XdrvMailbox.data, ",", 5));
+        double value = map_double(valueIN, fromLow, fromHigh, toLow, toHigh);
+        dtostrfd(value, 2, vars[index -1]);
      }
    }
    snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, vars[index -1]);
@ -610,17 +604,16 @@ double map_double(double x, double in_min, double in_max, double out_min, double
 }

 // Function to return a substring defined by a delimiter at an index
-char* subStr (char* str, const char *delim, int index)
+char* subStr(char* dest, char* str, const char *delim, int index)
 {
  char *act;
  char *sub;
  char *ptr;
-  static char copy[10];
  int i;

  // Since strtok consumes the first arg, make a copy
-  strcpy(copy, str);
-  for (i = 1, act = copy; i <= index; i++, act = NULL) {
+  strncpy(dest, str, strlen(str));
+  for (i = 1, act = dest; i <= index; i++, act = NULL) {
    sub = strtok_r(act, delim, &ptr);
    if (sub == NULL) break;
  }
@ -628,7 +621,6 @@ char* subStr (char* str, const char *delim, int index)
  return sub;
 }

-
 /*********************************************************************************************\
 * Interface
 \*********************************************************************************************/