From 8b06f835e259652b0ff026898014fc7297ade858 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sat, 29 Sep 2018 20:55:24 +0200
Subject: [PATCH] When connecting to a repeater, only send initialised string

Closes #253
---
 examples/repeater.c     | 10 ++++++++--
 libvncclient/rfbproto.c |  8 ++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/examples/repeater.c b/examples/repeater.c
index cf0350f..dbfa39e 100644
--- a/examples/repeater.c
+++ b/examples/repeater.c
@@ -12,6 +12,7 @@ int main(int argc,char** argv)
   char *repeaterHost;
   int repeaterPort, sock;
   char id[250];
+  int idlen;
   rfbClientPtr cl;
 
   int i,j;
@@ -23,7 +24,12 @@ int main(int argc,char** argv)
       "Usage: %s <id> <repeater-host> [<repeater-port>]\n", argv[0]);
     exit(1);
   }
-  snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]);
+  idlen = snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]);
+  if(idlen < 0 || idlen >= (int)sizeof(id)) {
+      fprintf(stderr, "Error, given ID is probably too long.\n");
+      return 1;
+  }
+
   repeaterHost = argv[2];
   repeaterPort = argc < 4 ? 5500 : atoi(argv[3]);
 
@@ -48,7 +54,7 @@ int main(int argc,char** argv)
     perror("connect to repeater");
     return 1;
   }
-  if (write(sock, id, sizeof(id)) != sizeof(id)) {
+  if (write(sock, id, idlen+1) != idlen+1) {
     perror("writing id");
     return 1;
   }
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index e5373bc..669e388 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -363,6 +363,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
   rfbProtocolVersionMsg pv;
   int major,minor;
   char tmphost[250];
+  int tmphostlen;
 
 #ifdef LIBVNCSERVER_IPv6
   client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort);
@@ -398,8 +399,11 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
 
   rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
 
-  snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
-  if (!WriteToRFBServer(client, tmphost, sizeof(tmphost)))
+  tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
+  if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost))
+    return FALSE; /* snprintf error or output truncated */
+
+  if (!WriteToRFBServer(client, tmphost, tmphostlen + 1))
     return FALSE;
 
   return TRUE;