Commit 5c0cb4cb authored by Per Cederqvist's avatar Per Cederqvist
Browse files

(prot_a_parse_num_list): Don't set res->length until res->data is allocated.

(prot_a_parse_misc_info_list): Ditto.
(prot_a_parse_aux_item_list): Ditto.  Without this fix, a client
	can cause a crash by sending the length of the list, and
	disconnect before sending the "{".
(prot_a_parse_string): Add an additional comment explaining why a
	client_len field should be added (bug 162).
parent c3df1ba7
/*
* $Id: prot-a-parse.c,v 0.53 2002/08/10 19:57:22 ceder Exp $
* $Id: prot-a-parse.c,v 0.54 2002/10/21 08:54:53 ceder Exp $
* Copyright (C) 1991-2002 Lysator Academic Computer Association.
*
* This file is part of the LysKOM server.
......@@ -146,13 +146,13 @@ prot_a_parse_num_list(Connection *client,
longjmp(parse_env, ISC_LOGOUT);
}
res->length = min(maxlen+1, client->array_parse_parsed_length);
client->array_parse_pos = 1;
/* Fall through */
case 1: /* The opening curly brace. */
if ( parse_nonwhite_char(client) != '{' )
longjmp(parse_env, ISC_PROTOCOL_ERR);
res->length = min(maxlen+1, client->array_parse_parsed_length);
res->data = smalloc(sizeof(*res->data) * res->length);
client->array_parse_index = 0;
......@@ -367,6 +367,13 @@ prot_a_parse_string(Connection *client,
client->string_parse_pos = 1;
/* Transfer the total length across the restart point, by
storing it in result->len. */
/* FIXME (bug 162): It would be better to add a client_len
field to the Connection struct. Adding four bytes to that
struct won't measurably change the size of the lyskomd
process, and it will make this code easier to maintain.
This is also dangerous, since it means that result->len > 0
while result->string == NULL, and that might confuse some
code somewhere. */
result->len = client_len;
/* Fall through */
case 1:
......@@ -509,7 +516,6 @@ prot_a_parse_aux_item_list(Connection *client,
longjmp(parse_env, ISC_LOGOUT);
}
result->length = min(maxlen+1, client->array_parse_parsed_length);
client->array_parse_pos = 1;
/* Fall through */
......@@ -517,6 +523,7 @@ prot_a_parse_aux_item_list(Connection *client,
if ( parse_nonwhite_char(client) != '{' )
longjmp(parse_env, ISC_PROTOCOL_ERR);
result->length = min(maxlen+1, client->array_parse_parsed_length);
result->items = smalloc(result->length * sizeof(Aux_item));
for (i = 0; i < result->length; i++)
......@@ -585,7 +592,6 @@ prot_a_parse_misc_info_list(Connection *client,
longjmp(parse_env, ISC_LOGOUT);
}
result->no_of_misc = min(maxlen+1, client->array_parse_parsed_length);
client->array_parse_pos = 1;
/* Fall through */
......@@ -593,6 +599,7 @@ prot_a_parse_misc_info_list(Connection *client,
if ( parse_nonwhite_char(client) != '{' )
longjmp(parse_env, ISC_PROTOCOL_ERR);
result->no_of_misc = min(maxlen+1, client->array_parse_parsed_length);
result->misc = smalloc(result->no_of_misc * sizeof(Misc_info));
for (i = 0; i < result->no_of_misc; i++)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment