Hi Santiago,
> This patch add checks in memory allocated using malloc in SDP.
>
> >From b19940a05fcd341b1197606661320fa91ba19390 Mon Sep 17 00:00:00 2001
> From: Santiago Carot-Nemesio <sancane@xxxxxxxxx>
> Date: Tue, 27 Apr 2010 20:44:18 +0200
> Subject: [PATCH 1/2] Added checks in memory allocated with malloc in SDP
>
> ---
> lib/sdp.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
> 1 files changed, 76 insertions(+), 6 deletions(-)
> mode change 100644 => 100755 lib/sdp.c
>
> diff --git a/lib/sdp.c b/lib/sdp.c
> old mode 100644
> new mode 100755
> index 667d412..0def315
> --- a/lib/sdp.c
> +++ b/lib/sdp.c
> @@ -1078,6 +1078,8 @@ static sdp_data_t *extract_int(const void *p, int bufsize, int *len)
> }
>
> d = malloc(sizeof(sdp_data_t));
> + if (!d)
> + return NULL;
>
> SDPDBG("Extracting integer\n");
> memset(d, 0, sizeof(sdp_data_t));
> @@ -1152,6 +1154,9 @@ static sdp_data_t *extract_uuid(const uint8_t *p, int bufsize, int *len,
> {
> sdp_data_t *d = malloc(sizeof(sdp_data_t));
>
> + if (!d)
> + return NULL;
> +
> SDPDBG("Extracting UUID");
> memset(d, 0, sizeof(sdp_data_t));
> if (sdp_uuid_extract(p, bufsize, &d->val.uuid, len) < 0) {
> @@ -1179,6 +1184,8 @@ static sdp_data_t *extract_str(const void *p, int bufsize, int *len)
> }
>
> d = malloc(sizeof(sdp_data_t));
> + if (!d)
> + return NULL;
>
> memset(d, 0, sizeof(sdp_data_t));
> d->dtd = *(uint8_t *) p;
> @@ -1302,6 +1309,9 @@ static sdp_data_t *extract_seq(const void *p, int bufsize, int *len,
> sdp_data_t *curr, *prev;
> sdp_data_t *d = malloc(sizeof(sdp_data_t));
>
> + if (!d)
> + return NULL;
> +
> SDPDBG("Extracting SEQ");
> memset(d, 0, sizeof(sdp_data_t));
> *len = sdp_extract_seqtype(p, bufsize, &d->dtd, &seqlen);
> @@ -1945,10 +1955,15 @@ int sdp_get_uuidseq_attr(const sdp_record_t *rec, uint16_t attr,
> sdp_data_t *d;
> for (d = sdpdata->val.dataseq; d; d = d->next) {
> uuid_t *u;
> - if (d->dtd < SDP_UUID16 || d->dtd > SDP_UUID128)
> + if (d->dtd < SDP_UUID16 || d->dtd > SDP_UUID128) {
> + errno = EINVAL;
> goto fail;
> + }
>
> u = malloc(sizeof(uuid_t));
> + if (!u)
> + goto fail;
> +
> memset(u, 0, sizeof(uuid_t));
> *u = d->val.uuid;
> *seqp = sdp_list_append(*seqp, u);
> @@ -1957,7 +1972,7 @@ int sdp_get_uuidseq_attr(const sdp_record_t *rec, uint16_t attr,
> }
> fail:
> sdp_list_free(*seqp, free);
> - errno = EINVAL;
> + *seqp = NULL;
> return -1;
> }
>
> @@ -1974,7 +1989,15 @@ int sdp_set_uuidseq_attr(sdp_record_t *rec, uint16_t aid, sdp_list_t *seq)
> if (!seq || len == 0)
> return -1;
> dtds = (void **)malloc(len * sizeof(void *));
> + if (!dtds)
> + return -1;
> +
> values = (void **)malloc(len * sizeof(void *));
> + if (!values) {
> + free(dtds);
> + return -1;
> + }
> +
since you are touching this code, remove the pointless (void **) casting
for malloc.
> for (p = seq, i = 0; i < len; i++, p = p->next) {
> uuid_t *uuid = (uuid_t *)p->data;
> if (uuid)
> @@ -2028,6 +2051,9 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq)
> sdp_data_t *pOffset = pEncoding->next;
> if (pEncoding && pOffset) {
> lang = malloc(sizeof(sdp_lang_attr_t));
> + if (!lang)
> + goto fail;
> +
> lang->code_ISO639 = pCode->val.uint16;
> lang->encoding = pEncoding->val.uint16;
> lang->base_offset = pOffset->val.uint16;
> @@ -2039,6 +2065,10 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq)
> curr_data = pOffset->next;
> }
> return 0;
> +fail:
> + sdp_list_free(*langSeq, free);
> + *langSeq = NULL;
> + return -1;
> }
Why a goto here. There is only one user.
> int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq)
> @@ -2069,6 +2099,8 @@ int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq)
>
> if (uuid != NULL) {
> profDesc = malloc(sizeof(sdp_profile_desc_t));
> + if (!profDesc)
> + goto fail;
> profDesc->uuid = *uuid;
> profDesc->version = version;
> #ifdef SDP_DEBUG
> @@ -2079,6 +2111,10 @@ int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq)
> }
> }
> return 0;
> +fail:
> + sdp_list_free(*profDescSeq, free);
> + *profDescSeq = NULL;
> + return -1;
> }
Same here. Only one user. So better keep the the error handling in
place.
> int sdp_get_server_ver(const sdp_record_t *rec, sdp_list_t **u16)
> @@ -2231,7 +2267,15 @@ static sdp_data_t *access_proto_to_dataseq(sdp_record_t *rec, sdp_list_t *proto)
>
> seqlen = sdp_list_len(proto);
> seqDTDs = (void **)malloc(seqlen * sizeof(void *));
> + if (!seqDTDs)
> + return NULL;
> +
> seqs = (void **)malloc(seqlen * sizeof(void *));
> + if (!seqs) {
> + free(seqDTDs);
> + return NULL;
> + }
> +
Remove the casting while at it.
> @@ -2350,10 +2394,19 @@ int sdp_set_lang_attr(sdp_record_t *rec, const sdp_list_t *seq)
> {
> uint8_t uint16 = SDP_UINT16;
> int status = 0, i = 0, seqlen = sdp_list_len(seq);
> - void **dtds = (void **)malloc(3 * seqlen * sizeof(void *));
> - void **values = (void **)malloc(3 * seqlen * sizeof(void *));
> + void **dtds, **values;
> const sdp_list_t *p;
>
> + dtds = (void **)malloc(3 * seqlen * sizeof(void *));
> + if (!dtds)
> + return -1;
> +
> + values = (void **)malloc(3 * seqlen * sizeof(void *));
> + if (!values) {
> + free(dtds);
> + return -1;
> + }
> +
Don't re-introduce this casting. It is pointless.
Regards
Marcel
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
