Supplied arguments length unchecked

[fakhrizulkifli]

These functions are vulnerable to buffer overflow caused by the unchecked supplied arguments length.

int VtDomain_report(struct VtDomain *vt_domain, const char *ip_addr_str) {

  CURL *curl;
  CURLcode res;
  int ret = 0;
  char get_url[512];  <-- fixed buffer size
  int len = 0;

  VtApiPage_resetBuffer((struct VtApiPage *) vt_domain);
  curl = curl_easy_init();
  if (!curl) {
    VT_ERROR("init curl\n");
    goto cleanup;
  }

  DBG(1, "Api Key =  '%s'\n", vt_domain->api_key);

  if (ret)
    VT_ERROR("Adding key\n");

  len = sprintf(get_url, VT_API_BASE_URL "domain/report?apikey=%s&domain=%s",
                vt_domain->api_key, ip_addr_str); <-- unchecked ip_addr_str length
  if (len < 0) {
    VT_ERROR("sprintf\n");
    goto cleanup;
  }

int VtFileDist_getDistribution(struct VtFileDist *vt_udist) {

  CURL *curl;
  CURLcode res;
  int ret = 0;
  char get_url[512]; <-- fixed buffer size
  int len = 0;
  long http_response_code = 0;

  VtApiPage_resetBuffer((struct VtApiPage *) vt_udist);
  curl = curl_easy_init();
  if (!curl) {
    VT_ERROR("init curl\n");
    goto cleanup;
  }

  DBG(1, "Api Key =  '%s'\n", vt_udist->api_key);

  if (ret)
    VT_ERROR("Adding key\n");

  len = sprintf(get_url, VT_API_BASE_URL "file/distribution?apikey=%s", vt_udist->api_key); <-- api_key length unchecked
  if (len < 0) {
    VT_ERROR("sprintf\n");
    goto cleanup;
  }

[karlhiramoto]

Fixed in #8