[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Fix memory allocation in connection_new.
|
From: |
Christopher Brannon |
|
Subject: |
[PATCH] Fix memory allocation in connection_new. |
|
Date: |
Wed, 30 Jun 2010 09:57:07 -0500 |
First, there is a possible buffer overflow in this function.
In the original code, if client_socket was >=
SpeechdStatus.num_fds - 1, the array of sockets was reallocated with
a size of SpeechdStatus.num_fds * 2.
The problem is that SpeechdStatus.num_fds * 2 can still be less than
or equal to client_socket, in which case
the reference SpeechdSocket[client_socket] refers to memory outside
of the allocated area.
Instead, we use the size client_socket * 2 when reallocating, and
this is safe.
Next, this commit replaces the realloc call with a call to spd_realloc,
since the program should terminate on failure to reallocate.
---
src/server/speechd.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/server/speechd.c b/src/server/speechd.c
index 3f95d8a..d7a8900 100644
--- a/src/server/speechd.c
+++ b/src/server/speechd.c
@@ -286,10 +286,10 @@ speechd_connection_new(int server_socket)
/* Check if there is space for server status data; allocate it */
if(client_socket >= SpeechdStatus.num_fds-1){
- SpeechdSocket = (TSpeechdSock*) realloc(SpeechdSocket,
- SpeechdStatus.num_fds*2*
- sizeof(TSpeechdSock));
- SpeechdStatus.num_fds *= 2;
+ SpeechdSocket = (TSpeechdSock*) spd_realloc(SpeechdSocket,
+ client_socket*2*
+ sizeof(TSpeechdSock));
+ SpeechdStatus.num_fds = client_socket * 2;
}
SpeechdSocket[client_socket].o_buf = g_string_new("");
--
1.7.1
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH] Fix memory allocation in connection_new.,
Christopher Brannon <=