[PATCH] objdb: Don't read uninitialized memory in inc/dec

Jan Friesse <jfriesse@xxxxxxxxxx> · Tue, 27 Nov 2012 13:07:25 +0100

When object_key_increment or _decrement is called on [u]int16 value,
uninitialized value is read as result value.

Solution is to read really only 16-bits.

Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
---
 exec/objdb.c |   24 ++++++++++++++----------
 1 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/exec/objdb.c b/exec/objdb.c
index baadda3..5d7c124 100644
--- a/exec/objdb.c
+++ b/exec/objdb.c
@@ -1100,26 +1100,33 @@ static int object_key_increment (
 		switch (object_key->value_type) {
 		case OBJDB_VALUETYPE_INT16:
 			(*(int16_t *)object_key->value)++;
+			*value = *(int16_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_UINT16:
 			(*(uint16_t *)object_key->value)++;
+			*value = *(uint16_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_INT32:
 			(*(int32_t *)object_key->value)++;
+			*value = *(int32_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_UINT32:
 			(*(uint32_t *)object_key->value)++;
+			*value = *(uint32_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_INT64:
 			(*(int64_t *)object_key->value)++;
+			*value = *(int64_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_UINT64:
 			(*(uint64_t *)object_key->value)++;
+			*value = *(uint64_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_ANY:
 			/* for backwards compatibilty */
 			if (object_key->value_len == sizeof(int)) {
 				(*(int *)object_key->value)++;
+				*value = *(int *)object_key->value;
 			}
 			else {
 				res = -1;
@@ -1129,11 +1136,6 @@ static int object_key_increment (
 			res = -1;
 			break;
 		}
-		if (res == 0) {
-			/* nasty, not sure why we need to return this typed
-			 * instead of void* */
-			*value = *(int *)object_key->value;
-		}
 	}
 	else {
 		res = -1;
@@ -1187,26 +1189,33 @@ static int object_key_decrement (
 		switch (object_key->value_type) {
 		case OBJDB_VALUETYPE_INT16:
 			(*(int16_t *)object_key->value)--;
+			*value = *(int16_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_UINT16:
 			(*(uint16_t *)object_key->value)--;
+			*value = *(uint16_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_INT32:
 			(*(int32_t *)object_key->value)--;
+			*value = *(int32_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_UINT32:
 			(*(uint32_t *)object_key->value)--;
+			*value = *(uint32_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_INT64:
 			(*(int64_t *)object_key->value)--;
+			*value = *(int64_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_UINT64:
 			(*(uint64_t *)object_key->value)--;
+			*value = *(uint64_t *)object_key->value;
 			break;
 		case OBJDB_VALUETYPE_ANY:
 			/* for backwards compatibilty */
 			if (object_key->value_len == sizeof(int)) {
 				(*(int *)object_key->value)--;
+				*value = *(int *)object_key->value;
 			}
 			else {
 				res = -1;
@@ -1216,11 +1225,6 @@ static int object_key_decrement (
 			res = -1;
 			break;
 		}
-		if (res == 0) {
-			/* nasty, not sure why we need to return this typed
-			 * instead of void* */
-			*value = *(int *)object_key->value;
-		}
 	}
 	else {
 		res = -1;
-- 
1.7.1

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss





