Looking at tabled's code, I see a few places where unchecked strdup
can lead to NULL deref, whereas the majority are checked carefully.
Patches for the first two I found are below -- haven't completed the job.
In most cases, I see that care is taken to detect failure and propagate
that to higher levels. In others, due to the use of glib functions,
OOM leads to immediate (and possibly-unclean?) exit, because glib simply
calls exit on OOM. Or perhaps tabled tells glib not to handle OOM that
way -- assuming that's possible.
This is server-style (and some of it library-grade) code, so I'm surprised
to see it relying on glib, which due to its handling of OOM errors
is often deemed unsuitable for applications that need to die
gracefully.
I'm not 100% sure that each of these strdup
failures will lead inevitably to a NULL deref, but a quick
manual trace suggested it's possible, so...
>From fb7865d158b0d32907dde703c4d37c70a26e738c Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@xxxxxxxxxx>
Date: Thu, 23 Sep 2010 10:11:44 +0200
Subject: [PATCH tabled 1/2] server/config.c: don't dereference NULL on OOM
Signed-off-by: Jim Meyering <meyering@xxxxxxxxxx>
---
server/config.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/server/config.c b/server/config.c
index f94886e..a58a0e6 100644
--- a/server/config.c
+++ b/server/config.c
@@ -1,6 +1,6 @@
/*
- * Copyright 2009 Red Hat, Inc.
+ * Copyright 2009, 2010 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -436,7 +436,10 @@ void read_config(void)
memset(&ctx, 0, sizeof(struct config_context));
- tabled_srv.port = strdup("8080");
+ if (!(tabled_srv.port = strdup("8080"))) {
+ applog(LOG_ERR, "no core");
+ exit(1);
+ }
if (!g_file_get_contents(tabled_srv.config, &text, &len, NULL)) {
applog(LOG_ERR, "failed to read config file %s",
--
1.7.3.234.g7bba3
>From 725ff27469746639f0da098feab6c3d0a28e7b30 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@xxxxxxxxxx>
Date: Thu, 23 Sep 2010 10:25:15 +0200
Subject: [PATCH tabled 2/2] server/object.c: don't deref NULL on OOM
Signed-off-by: Jim Meyering <meyering@xxxxxxxxxx>
---
server/object.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/server/object.c b/server/object.c
index 3801e94..1f2f68f 100644
--- a/server/object.c
+++ b/server/object.c
@@ -1,6 +1,6 @@
/*
- * Copyright 2008-2009 Red Hat, Inc.
+ * Copyright 2008-2010 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -801,6 +801,11 @@ static bool object_put_body(struct client *cli, const char *user,
cli->out_objid = objid;
cli->out_user = strdup(user);
+ if (!cli->out_bucket || !cli->out_key || !cli->out_user) {
+ applog(LOG_ERR, "OOM in object_put_body");
+ return cli_err(cli, InternalError);
+ }
+
/* handle Expect: 100-continue header, by unconditionally
* requesting that they continue.
*/
--
1.7.3.234.g7bba3
--
To unsubscribe from this list: send the line "unsubscribe hail-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
