(prot_a_parse_num_list): Don't set res->length until res->data is allocated.

(prot_a_parse_misc_info_list): Ditto. (prot_a_parse_aux_item_list): Ditto. Without this fix, a client can cause a crash by sending the length of the list, and disconnect before sending the "{". (prot_a_parse_string): Add an additional comment explaining why a client_len field should be added (bug 162).

(prot_a_parse_num_list): Don't set res->length until res->data is allocated.
(prot_a_parse_misc_info_list): Ditto. (prot_a_parse_aux_item_list): Ditto. Without this fix, a client can cause a crash by sending the length of the list, and disconnect before sending the "{". (prot_a_parse_string): Add an additional comment explaining why a client_len field should be added (bug 162).
5c0cb4cb · Per Cederqvist · c3df1ba7 · 5c0cb4cb
Commit 5c0cb4cb authored Oct 21, 2002 by Per Cederqvist
--- a/src/server/prot-a-parse.c
+++ b/src/server/prot-a-parse.c
 /*
- * $Id: prot-a-parse.c,v 0.53 2002/08/10 19:57:22 ceder Exp $
+ * $Id: prot-a-parse.c,v 0.54 2002/10/21 08:54:53 ceder Exp $
 * Copyright (C) 1991-2002  Lysator Academic Computer Association.
 *
 * This file is part of the LysKOM server.
@@ -146,13 +146,13 @@ prot_a_parse_num_list(Connection *client,
 	    longjmp(parse_env, ISC_LOGOUT);
 	}

-	res->length = min(maxlen+1, client->array_parse_parsed_length);
 	client->array_parse_pos = 1;
 	/* Fall through */
    case 1:			/* The opening curly brace. */
 	if ( parse_nonwhite_char(client) != '{' )
 	    longjmp(parse_env, ISC_PROTOCOL_ERR);

+	res->length = min(maxlen+1, client->array_parse_parsed_length);
        res->data   = smalloc(sizeof(*res->data) * res->length);

 	client->array_parse_index = 0;
@@ -367,6 +367,13 @@ prot_a_parse_string(Connection  *client,
 	client->string_parse_pos = 1;
 	/* Transfer the total length across the restart point, by
 	   storing it in result->len.  */
+	/* FIXME (bug 162): It would be better to add a client_len
+	   field to the Connection struct.  Adding four bytes to that
+	   struct won't measurably change the size of the lyskomd
+	   process, and it will make this code easier to maintain.
+	   This is also dangerous, since it means that result->len > 0
+	   while result->string == NULL, and that might confuse some
+	   code somewhere. */
 	result->len = client_len;
 	/* Fall through */
    case 1:
@@ -509,7 +516,6 @@ prot_a_parse_aux_item_list(Connection *client,
 	    longjmp(parse_env, ISC_LOGOUT);
        }

-        result->length = min(maxlen+1, client->array_parse_parsed_length);
 	client->array_parse_pos = 1;
        /* Fall through */

@@ -517,6 +523,7 @@ prot_a_parse_aux_item_list(Connection *client,
 	if ( parse_nonwhite_char(client) != '{' )
 	    longjmp(parse_env, ISC_PROTOCOL_ERR);

+        result->length = min(maxlen+1, client->array_parse_parsed_length);
        result->items = smalloc(result->length * sizeof(Aux_item));
        
        for (i = 0; i < result->length; i++)
@@ -585,7 +592,6 @@ prot_a_parse_misc_info_list(Connection *client,
 	    longjmp(parse_env, ISC_LOGOUT);
        }

-        result->no_of_misc = min(maxlen+1, client->array_parse_parsed_length);
 	client->array_parse_pos = 1;
        /* Fall through */

@@ -593,6 +599,7 @@ prot_a_parse_misc_info_list(Connection *client,
 	if ( parse_nonwhite_char(client) != '{' )
 	    longjmp(parse_env, ISC_PROTOCOL_ERR);

+        result->no_of_misc = min(maxlen+1, client->array_parse_parsed_length);
        result->misc = smalloc(result->no_of_misc * sizeof(Misc_info));
        
        for (i = 0; i < result->no_of_misc; i++)