On Thu, Jun 09, 2011 at 04:44:23PM +0200, Jan Friesse wrote:
> in confdb_object_iter result of object_find_create is now properly
> checked. object_find_create can return -1 if object doesn't exists.
> Without this check, incorrect handle (memory garbage) was directly
> passed to object_find_next.
> 

Reviewed-by: Angus Salkeld <[email protected]>

> Signed-off-by: Jan Friesse <[email protected]>
> ---
>  services/confdb.c |   29 +++++++++++++++++++++--------
>  1 files changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/services/confdb.c b/services/confdb.c
> index b57a041..64def8a 100644
> --- a/services/confdb.c
> +++ b/services/confdb.c
> @@ -708,9 +708,12 @@ static void message_handler_req_lib_confdb_object_iter 
> (void *conn,
>       int ret = CS_OK;
>  
>       if (!req_lib_confdb_object_iter->find_handle) {
> -             
> api->object_find_create(req_lib_confdb_object_iter->parent_object_handle,
> +             if 
> (api->object_find_create(req_lib_confdb_object_iter->parent_object_handle,
>                                       NULL, 0,
> -                                     
> m2h(&res_lib_confdb_object_iter.find_handle));
> +                                     
> m2h(&res_lib_confdb_object_iter.find_handle)) == -1) {
> +                     ret = CS_ERR_ACCESS;
> +                     goto response_send;
> +             }
>       }
>       else
>               res_lib_confdb_object_iter.find_handle = 
> req_lib_confdb_object_iter->find_handle;
> @@ -721,12 +724,17 @@ static void message_handler_req_lib_confdb_object_iter 
> (void *conn,
>               
> api->object_find_destroy(res_lib_confdb_object_iter.find_handle);
>       }
>       else {
> -             api->object_name_get(res_lib_confdb_object_iter.object_handle,
> +             if 
> (api->object_name_get(res_lib_confdb_object_iter.object_handle,
>                                    (char 
> *)res_lib_confdb_object_iter.object_name.value,
> -                                  &object_name_len);
> -
> -             res_lib_confdb_object_iter.object_name.length = object_name_len;
> +                                  &object_name_len) == -1) {
> +                     ret = CS_ERR_ACCESS;
> +                     goto response_send;
> +             } else {
> +                     res_lib_confdb_object_iter.object_name.length = 
> object_name_len;
> +             }
>       }
> +
> +response_send:
>       res_lib_confdb_object_iter.header.size = 
> sizeof(res_lib_confdb_object_iter);
>       res_lib_confdb_object_iter.header.id = MESSAGE_RES_CONFDB_OBJECT_ITER;
>       res_lib_confdb_object_iter.header.error = ret;
> @@ -743,10 +751,13 @@ static void message_handler_req_lib_confdb_object_find 
> (void *conn,
>       int ret = CS_OK;
>  
>       if (!req_lib_confdb_object_find->find_handle) {
> -             
> api->object_find_create(req_lib_confdb_object_find->parent_object_handle,
> +             if 
> (api->object_find_create(req_lib_confdb_object_find->parent_object_handle,
>                                       
> req_lib_confdb_object_find->object_name.value,
>                                       
> req_lib_confdb_object_find->object_name.length,
> -                                     
> m2h(&res_lib_confdb_object_find.find_handle));
> +                                     
> m2h(&res_lib_confdb_object_find.find_handle)) == -1) {
> +                     ret = CS_ERR_ACCESS;
> +                     goto response_send;
> +             }
>       }
>       else
>               res_lib_confdb_object_find.find_handle = 
> req_lib_confdb_object_find->find_handle;
> @@ -757,6 +768,8 @@ static void message_handler_req_lib_confdb_object_find 
> (void *conn,
>               
> api->object_find_destroy(res_lib_confdb_object_find.find_handle);
>       }
>  
> +
> +response_send:
>       res_lib_confdb_object_find.header.size = 
> sizeof(res_lib_confdb_object_find);
>       res_lib_confdb_object_find.header.id = MESSAGE_RES_CONFDB_OBJECT_FIND;
>       res_lib_confdb_object_find.header.error = ret;
> -- 
> 1.7.1
> 
> _______________________________________________
> Openais mailing list
> [email protected]
> https://lists.linux-foundation.org/mailman/listinfo/openais
_______________________________________________
Openais mailing list
[email protected]
https://lists.linux-foundation.org/mailman/listinfo/openais

Reply via email to