Fix possible allocation of 0 len buffer in rtc 47/47/2
authorE. Scott Daniels <daniels@research.att.com>
Tue, 9 Apr 2019 20:25:58 +0000 (20:25 +0000)
committerE. Scott Daniels <daniels@research.att.com>
Tue, 9 Apr 2019 20:28:56 +0000 (20:28 +0000)
It was possible for the route table collector to allocate
a zero length buffer to copy a received message into.

Change-Id: Ie270f7fe9f721661f59713eaf15500762b2b3253
Signed-off-by: E. Scott Daniels <daniels@research.att.com>
CMakeLists.txt
src/common/src/rtc_static.c
src/nng/src/sr_nng_static.c

index 9f0af5d..9371ce3 100644 (file)
@@ -24,7 +24,7 @@ cmake_minimum_required( VERSION 3.5 )
 
 set( major_version "1" )
 set( minor_version "0" )
-set( patch_level "15" )
+set( patch_level "16" )
 
 set( install_root "${CMAKE_INSTALL_PREFIX}" )
 set( install_lib "lib" )
index 6b9c707..9f0d1a6 100644 (file)
@@ -92,7 +92,7 @@ static void* rtc( void* vctx ) {
        int             state;                                          // processing state of some nng function
        char*   tokens[128];
        char    wbuf[128];
-       char*   pbuf;
+       char*   pbuf = NULL;
        int             pbuf_size = 0;                          // number allocated in pbuf
        int             ntoks;
        int             raw_interface = 1;                      // rtg is using raw NNG/Nano not RMr to send updates
@@ -183,8 +183,12 @@ static void* rtc( void* vctx ) {
                                if( pbuf ) {
                                        free( pbuf );
                                }
-                               pbuf = (char *) malloc( sizeof( char ) * mlen *2 );
-                               pbuf_size = mlen * 2;
+                               if( mlen < 512 ) {
+                                       pbuf_size = 512;
+                               } else {
+                                       pbuf_size = mlen * 2;
+                               }
+                               pbuf = (char *) malloc( sizeof( char ) * pbuf_size );
                        }
                        memcpy( pbuf, payload, mlen );
                        pbuf[mlen] = 0;                                                                         // don't depend on sender making this a legit string
index a99b3de..cfea829 100644 (file)
@@ -230,7 +230,7 @@ static inline rmr_mbuf_t* clone_msg( rmr_mbuf_t* old_msg  ) {
        nm->payload = nm->header + sizeof( uta_mhdr_t );                // point past header to payload (single buffer allocation above)
        nm->xaction = ((uta_mhdr_t *)nm->header)->xid;                  // point at transaction id in header area
        nm->state = old_msg->state;                                                             // fill in caller's state (likely the state of the last operation)
-       nm->flags |= MFL_ZEROCOPY;                                                              // this is a zerocopy sendable message
+       nm->flags = old_msg->flags | MFL_ZEROCOPY;                              // this is a zerocopy sendable message
 
        memcpy( ((uta_mhdr_t *)nm->header)->src, ((uta_mhdr_t *)old_msg->header)->src, RMR_MAX_SID );
        memcpy( nm->payload, old_msg->payload, old_msg->len );