From bd74be849692ec58c0dd3882de9da386f5cc355c Mon Sep 17 00:00:00 2001
From: Sam Stenvall <sam.stenvall@nitor.com>
Date: Tue, 6 Aug 2024 14:03:09 +0300
Subject: [PATCH] Heap-allocate memory for JSON string escaping

Fixes "escape_json_string:179 buffer size too small (199)" from /state.json when the command line used to run minisatip is longer than 200 characters (happens easily if all paths must be overriden)
---
 src/api/variables.c | 23 ++++++++++-------------
 src/api/variables.h |  3 ++-
 src/minisatip.c     |  6 +++++-
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/src/api/variables.c b/src/api/variables.c
index 11e2006e50..9ef57436b2 100644
--- a/src/api/variables.c
+++ b/src/api/variables.c
@@ -183,12 +183,10 @@ int escape_json_string(char *dest, int dl, char *src, int sl) {
     return j;
 }
 
-int get_json_state(char *buf, int len) {
+int get_json_state(char *buf, int len, char *sbuf, int slen) {
     int ptr = 0, first = 1, i, j, off, string;
     _symbols *p;
-    char escape[200]; // string variable max len
 
-    memset(escape, 0, sizeof(escape));
     strlcatf(buf, len, ptr, "{\n");
     for (i = 0; sym[i] != NULL; i++) {
         for (j = 0; sym[i][j].name; j++) {
@@ -207,10 +205,10 @@ int get_json_state(char *buf, int len) {
             if (p->type < VAR_ARRAY) {
                 if (string) {
                     int len2 =
-                        snprintf_pointer(escape, sizeof(escape) - 1, p->type,
+                        snprintf_pointer(sbuf, slen - 1, p->type,
                                          p->addr, p->multiplier);
                     ptr +=
-                        escape_json_string(buf + ptr, len - ptr, escape, len2);
+                        escape_json_string(buf + ptr, len - ptr, sbuf, len2);
                 } else
                     ptr += snprintf_pointer(buf + ptr, len - ptr, p->type,
                                             p->addr, p->multiplier);
@@ -221,9 +219,9 @@ int get_json_state(char *buf, int len) {
                         strlcatf(buf, len, ptr, ",");
                     if (string) {
                         int len2 = snprintf_pointer(
-                            escape, sizeof(escape) - 1, p->type,
+                            sbuf, slen - 1, p->type,
                             ((char *)p->addr) + off + p->skip, p->multiplier);
-                        ptr += escape_json_string(buf + ptr, len - ptr, escape,
+                        ptr += escape_json_string(buf + ptr, len - ptr, sbuf,
                                                   len2);
                     } else
                         ptr += snprintf_pointer(
@@ -239,9 +237,9 @@ int get_json_state(char *buf, int len) {
                         strlcatf(buf, len, ptr, ",");
                     if (string) {
                         int len2 = snprintf_pointer(
-                            escape, sizeof(escape) - 1, p->type,
+                            sbuf, slen - 1, p->type,
                             p1[off] ? p1[off] + p->skip : zero, p->multiplier);
-                        ptr += escape_json_string(buf + ptr, len - ptr, escape,
+                        ptr += escape_json_string(buf + ptr, len - ptr, sbuf,
                                                   len2);
                     } else
                         ptr += snprintf_pointer(
@@ -275,12 +273,11 @@ int get_json_state(char *buf, int len) {
                 get_data_string funs = (get_data_string)p->addr;
                 strlcatf(buf, len, ptr, "[");
                 for (off = 0; off < p->len; off++) {
-                    memset(escape, 0, sizeof(escape));
-                    funs(off, escape, sizeof(escape) - 1);
+                    memset(sbuf, 0, slen);
+                    funs(off, sbuf, slen - 1);
                     if (off > 0)
                         strlcatf(buf, len, ptr, ",");
-                    ptr += escape_json_string(buf + ptr, len - ptr, escape,
-                                              strlen(escape));
+                    ptr += escape_json_string(buf + ptr, len - ptr, sbuf, slen);
                 }
                 strlcatf(buf, len, ptr, "]");
                 //				LOG("func_str -> %s", buf);
diff --git a/src/api/variables.h b/src/api/variables.h
index ae281be701..01c21eea3c 100644
--- a/src/api/variables.h
+++ b/src/api/variables.h
@@ -44,6 +44,7 @@
 
 #define JSON_STATE_MAXLEN (256 * 1024)
 #define JSON_BANDWIDTH_MAXLEN 1024
+#define JSON_STRING_MAXLEN 1024
 
 typedef int (*get_data_int)(int p);
 typedef int64_t (*get_data_int64)(int p);
@@ -57,7 +58,7 @@ void *get_var_address(char *var, float *multiplier, int *type, void *storage,
                       int ls);
 
 int escape_json_string(char *dest, int dl, char *src, int sl);
-int get_json_state(char *buf, int len);
+int get_json_state(char *buf, int len, char *sbuf, int slen);
 int get_json_bandwidth(char *buf, int len);
 
 #endif
diff --git a/src/minisatip.c b/src/minisatip.c
index 592bca4062..8462edec12 100644
--- a/src/minisatip.c
+++ b/src/minisatip.c
@@ -1589,13 +1589,17 @@ int read_http(sockets *s) {
 
     if (strcmp(arg[1], "/state.json") == 0) {
         char *buf = _malloc(JSON_STATE_MAXLEN);
-        int len = get_json_state(buf, JSON_STATE_MAXLEN);
+        char *sbuf = _malloc(JSON_STRING_MAXLEN);
+        memset(sbuf, 0, JSON_STRING_MAXLEN);
+        int len =
+            get_json_state(buf, JSON_STATE_MAXLEN, sbuf, JSON_STRING_MAXLEN);
         http_response(s, 200,
                       "Content-Type: application/json\r\n"
                       "Connection: close\r\n"
                       "Access-Control-Allow-Origin: *",
                       buf, 0, len);
         _free(buf);
+        _free(sbuf);
         return 0;
     }