From aa0b497f216ebd8bc72850bf4af5c9f35c288b65 Mon Sep 17 00:00:00 2001 From: "E. Scott Daniels" Date: Tue, 9 Apr 2019 20:25:58 +0000 Subject: [PATCH] Fix possible allocation of 0 len buffer in rtc It was possible for the route table collector to allocate a zero length buffer to copy a received message into. Change-Id: Ie270f7fe9f721661f59713eaf15500762b2b3253 Signed-off-by: E. Scott Daniels --- CMakeLists.txt | 2 +- src/common/src/rtc_static.c | 10 +++++++--- src/nng/src/sr_nng_static.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 9f0af5d..9371ce3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -24,7 +24,7 @@ cmake_minimum_required( VERSION 3.5 ) set( major_version "1" ) set( minor_version "0" ) -set( patch_level "15" ) +set( patch_level "16" ) set( install_root "${CMAKE_INSTALL_PREFIX}" ) set( install_lib "lib" ) diff --git a/src/common/src/rtc_static.c b/src/common/src/rtc_static.c index 6b9c707..9f0d1a6 100644 --- a/src/common/src/rtc_static.c +++ b/src/common/src/rtc_static.c @@ -92,7 +92,7 @@ static void* rtc( void* vctx ) { int state; // processing state of some nng function char* tokens[128]; char wbuf[128]; - char* pbuf; + char* pbuf = NULL; int pbuf_size = 0; // number allocated in pbuf int ntoks; int raw_interface = 1; // rtg is using raw NNG/Nano not RMr to send updates @@ -183,8 +183,12 @@ static void* rtc( void* vctx ) { if( pbuf ) { free( pbuf ); } - pbuf = (char *) malloc( sizeof( char ) * mlen *2 ); - pbuf_size = mlen * 2; + if( mlen < 512 ) { + pbuf_size = 512; + } else { + pbuf_size = mlen * 2; + } + pbuf = (char *) malloc( sizeof( char ) * pbuf_size ); } memcpy( pbuf, payload, mlen ); pbuf[mlen] = 0; // don't depend on sender making this a legit string diff --git a/src/nng/src/sr_nng_static.c b/src/nng/src/sr_nng_static.c index a99b3de..cfea829 100644 --- a/src/nng/src/sr_nng_static.c +++ b/src/nng/src/sr_nng_static.c @@ -230,7 +230,7 @@ static inline rmr_mbuf_t* clone_msg( rmr_mbuf_t* old_msg ) { nm->payload = nm->header + sizeof( uta_mhdr_t ); // point past header to payload (single buffer allocation above) nm->xaction = ((uta_mhdr_t *)nm->header)->xid; // point at transaction id in header area nm->state = old_msg->state; // fill in caller's state (likely the state of the last operation) - nm->flags |= MFL_ZEROCOPY; // this is a zerocopy sendable message + nm->flags = old_msg->flags | MFL_ZEROCOPY; // this is a zerocopy sendable message memcpy( ((uta_mhdr_t *)nm->header)->src, ((uta_mhdr_t *)old_msg->header)->src, RMR_MAX_SID ); memcpy( nm->payload, old_msg->payload, old_msg->len ); -- 2.16.6