Re: [PATCH 1/2] Added checks in memory allocated with malloc in SDP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Santiago,

> This patch add checks in memory allocated using malloc in SDP. 
> 
> >From b19940a05fcd341b1197606661320fa91ba19390 Mon Sep 17 00:00:00 2001
> From: Santiago Carot-Nemesio <sancane@xxxxxxxxx>
> Date: Tue, 27 Apr 2010 20:44:18 +0200
> Subject: [PATCH 1/2] Added checks in memory allocated with malloc in SDP
> 
> ---
>  lib/sdp.c |   82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
>  1 files changed, 76 insertions(+), 6 deletions(-)
>  mode change 100644 => 100755 lib/sdp.c
> 
> diff --git a/lib/sdp.c b/lib/sdp.c
> old mode 100644
> new mode 100755
> index 667d412..0def315
> --- a/lib/sdp.c
> +++ b/lib/sdp.c
> @@ -1078,6 +1078,8 @@ static sdp_data_t *extract_int(const void *p, int bufsize, int *len)
>  	}
>  
>  	d = malloc(sizeof(sdp_data_t));
> +	if (!d)
> +		return NULL;
>  
>  	SDPDBG("Extracting integer\n");
>  	memset(d, 0, sizeof(sdp_data_t));
> @@ -1152,6 +1154,9 @@ static sdp_data_t *extract_uuid(const uint8_t *p, int bufsize, int *len,
>  {
>  	sdp_data_t *d = malloc(sizeof(sdp_data_t));
>  
> +	if (!d)
> +		return NULL;
> +
>  	SDPDBG("Extracting UUID");
>  	memset(d, 0, sizeof(sdp_data_t));
>  	if (sdp_uuid_extract(p, bufsize, &d->val.uuid, len) < 0) {
> @@ -1179,6 +1184,8 @@ static sdp_data_t *extract_str(const void *p, int bufsize, int *len)
>  	}
>  
>  	d = malloc(sizeof(sdp_data_t));
> +	if (!d)
> +		return NULL;
>  
>  	memset(d, 0, sizeof(sdp_data_t));
>  	d->dtd = *(uint8_t *) p;
> @@ -1302,6 +1309,9 @@ static sdp_data_t *extract_seq(const void *p, int bufsize, int *len,
>  	sdp_data_t *curr, *prev;
>  	sdp_data_t *d = malloc(sizeof(sdp_data_t));
>  
> +	if (!d)
> +		return NULL;
> +
>  	SDPDBG("Extracting SEQ");
>  	memset(d, 0, sizeof(sdp_data_t));
>  	*len = sdp_extract_seqtype(p, bufsize, &d->dtd, &seqlen);
> @@ -1945,10 +1955,15 @@ int sdp_get_uuidseq_attr(const sdp_record_t *rec, uint16_t attr,
>  		sdp_data_t *d;
>  		for (d = sdpdata->val.dataseq; d; d = d->next) {
>  			uuid_t *u;
> -			if (d->dtd < SDP_UUID16 || d->dtd > SDP_UUID128)
> +			if (d->dtd < SDP_UUID16 || d->dtd > SDP_UUID128) {
> +				errno = EINVAL;
>  				goto fail;
> +			}
>  
>  			u = malloc(sizeof(uuid_t));
> +			if (!u)
> +				goto fail;
> +
>  			memset(u, 0, sizeof(uuid_t));
>  			*u = d->val.uuid;
>  			*seqp = sdp_list_append(*seqp, u);
> @@ -1957,7 +1972,7 @@ int sdp_get_uuidseq_attr(const sdp_record_t *rec, uint16_t attr,
>  	}
>  fail:
>  	sdp_list_free(*seqp, free);
> -	errno = EINVAL;
> +	*seqp = NULL;
>  	return -1;
>  }
>  
> @@ -1974,7 +1989,15 @@ int sdp_set_uuidseq_attr(sdp_record_t *rec, uint16_t aid, sdp_list_t *seq)
>  	if (!seq || len == 0)
>  		return -1;
>  	dtds = (void **)malloc(len * sizeof(void *));
> +	if (!dtds)
> +		return -1;
> +
>  	values = (void **)malloc(len * sizeof(void *));
> +	if (!values) {
> +		free(dtds);
> +		return -1;
> +	}
> +

since you are touching this code, remove the pointless (void **) casting
for malloc.

>  	for (p = seq, i = 0; i < len; i++, p = p->next) {
>  		uuid_t *uuid = (uuid_t *)p->data;
>  		if (uuid)
> @@ -2028,6 +2051,9 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq)
>  		sdp_data_t *pOffset = pEncoding->next;
>  		if (pEncoding && pOffset) {
>  			lang = malloc(sizeof(sdp_lang_attr_t));
> +			if (!lang)
> +				goto fail;
> +
>  			lang->code_ISO639 = pCode->val.uint16;
>  			lang->encoding = pEncoding->val.uint16;
>  			lang->base_offset = pOffset->val.uint16;
> @@ -2039,6 +2065,10 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq)
>  		curr_data = pOffset->next;
>  	}
>  	return 0;
> +fail:
> +	sdp_list_free(*langSeq, free);
> +	*langSeq = NULL;
> +	return -1;
>  }

Why a goto here. There is only one user.
 
>  int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq)
> @@ -2069,6 +2099,8 @@ int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq)
>  
>  		if (uuid != NULL) {
>  			profDesc = malloc(sizeof(sdp_profile_desc_t));
> +			if (!profDesc)
> +				goto fail;
>  			profDesc->uuid = *uuid;
>  			profDesc->version = version;
>  #ifdef SDP_DEBUG
> @@ -2079,6 +2111,10 @@ int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq)
>  		}
>  	}
>  	return 0;
> +fail:
> +	sdp_list_free(*profDescSeq, free);
> +	*profDescSeq = NULL;
> +	return -1;
>  }

Same here. Only one user. So better keep the the error handling in
place.
 
>  int sdp_get_server_ver(const sdp_record_t *rec, sdp_list_t **u16)
> @@ -2231,7 +2267,15 @@ static sdp_data_t *access_proto_to_dataseq(sdp_record_t *rec, sdp_list_t *proto)
>  
>  	seqlen = sdp_list_len(proto);
>  	seqDTDs = (void **)malloc(seqlen * sizeof(void *));
> +	if (!seqDTDs)
> +		return NULL;
> +
>  	seqs = (void **)malloc(seqlen * sizeof(void *));
> +	if (!seqs) {
> +		free(seqDTDs);
> +		return NULL;
> +	}
> +

Remove the casting while at it.

> @@ -2350,10 +2394,19 @@ int sdp_set_lang_attr(sdp_record_t *rec, const sdp_list_t *seq)
>  {
>  	uint8_t uint16 = SDP_UINT16;
>  	int status = 0, i = 0, seqlen = sdp_list_len(seq);
> -	void **dtds = (void **)malloc(3 * seqlen * sizeof(void *));
> -	void **values = (void **)malloc(3 * seqlen * sizeof(void *));
> +	void **dtds, **values;
>  	const sdp_list_t *p;
>  
> +	dtds = (void **)malloc(3 * seqlen * sizeof(void *));
> +	if (!dtds)
> +		return -1;
> +
> +	values = (void **)malloc(3 * seqlen * sizeof(void *));
> +	if (!values) {
> +		free(dtds);
> +		return -1;
> +	}
> +

Don't re-introduce this casting. It is pointless.

Regards

Marcel


--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux