From 313cb9921c761b4b76420e0dd69a01c1fd64b2ba Mon Sep 17 00:00:00 2001
From: Daniel Danzberger <daniel@dd-wrt.com>
Date: Sat, 4 Jan 2020 15:03:29 +0100
Subject: [PATCH] Fix get_USB_InterfaceNumberOfEntries memory issues

- Fix Leaking on buffer allocation by using stack buffer
- Fix access on uninitalized and not zero terminated string returnd from
readlink()

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
---
 dmtree/tr181/usb.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/dmtree/tr181/usb.c b/dmtree/tr181/usb.c
index 44dddfdc..82c2b8ab 100644
--- a/dmtree/tr181/usb.c
+++ b/dmtree/tr181/usb.c
@@ -429,20 +429,23 @@ int get_USB_InterfaceNumberOfEntries(char *refparam, struct dmctx *ctx, void *da
 {
 	DIR *dir;
 	struct dirent *ent;
-	char filename[100];
-	char *buffer= NULL;
-	int size = 100;
+	char filename[128];
+	char buffer[64];
 	int nbre= 0;
+	ssize_t rc;
 
 	if ((dir = opendir ("/sys/class/net")) == NULL)
 		return 0;
+
 	while ((ent = readdir (dir)) != NULL) {
-		buffer= (char*)dmmalloc(100*sizeof(char));
-		snprintf(filename, sizeof(filename), "/sys/class/net/%s", ent->d_name);
-		readlink (filename, buffer, size);
-		if(strstr(buffer, "/usb") == NULL)
-			continue;
-		nbre++;
+		sprintf(filename, "/sys/class/net/%s", ent->d_name);
+		rc = readlink (filename, buffer, sizeof(buffer) - 1);
+		if (rc > 0) {
+			buffer[rc] = 0;
+
+			if(!strstr(buffer, "/usb") == NULL)
+				nbre++;
+		}
 	}
 	dmasprintf(value, "%d", nbre);
 	return 0;