Commit ef8ea2ed authored by Per Cederqvist's avatar Per Cederqvist
Browse files

Fixed bug in mux_parse_string that sometimes caused it to try to allocate

more than 4 Gbyte.
parent fee22064
...@@ -85,6 +85,16 @@ mux_parse_string(Mux *mux, ...@@ -85,6 +85,16 @@ mux_parse_string(Mux *mux,
switch ( mux->parse.string_parse_pos ) switch ( mux->parse.string_parse_pos )
{ {
case 0: case 0:
if ( ( result->len != 0 || result->string != NULL) && err_cnt++ < 20 )
{
log ("mux_parse_string(): result->len == %lu, "
"result->string == %lu. This memory will not be free()'d.\n",
(u_long)result->len, (u_long)result->string);
*result = EMPTY_STRING;
if ( err_cnt == 20 )
log("Won't log the above warning no more.");
}
/* Get number and discard trailing 'H' */ /* Get number and discard trailing 'H' */
mux_len = s_strtol(s_fsubstr(mux->parse.unparsed, mux_len = s_strtol(s_fsubstr(mux->parse.unparsed,
mux->parse.first_to_parse, mux->parse.first_to_parse,
...@@ -113,8 +123,10 @@ mux_parse_string(Mux *mux, ...@@ -113,8 +123,10 @@ mux_parse_string(Mux *mux,
mux->parse.first_to_parse += 1 + hptr; mux->parse.first_to_parse += 1 + hptr;
mux->parse.string_parse_pos = 1; mux->parse.string_parse_pos = 1;
result->len = mux_len; /* +++ Transfer mux_len. */
/* Fall through */ /* Fall through */
case 1: case 1:
mux_len = result->len;
/* Check that the entire string is transmitted. */ /* Check that the entire string is transmitted. */
/* (Don't care about the trailing part that will be skipped if the /* (Don't care about the trailing part that will be skipped if the
* string is longer than maxlen) */ * string is longer than maxlen) */
...@@ -126,16 +138,8 @@ mux_parse_string(Mux *mux, ...@@ -126,16 +138,8 @@ mux_parse_string(Mux *mux,
longjmp(mux_parse_env, MUX_MSG_INCOMPLETE); longjmp(mux_parse_env, MUX_MSG_INCOMPLETE);
} }
if ( ( result->len != 0 || result->string != NULL) && err_cnt++ < 20 ) *result = EMPTY_STRING;
{
log ("mux_parse_string(): result->len == %lu, "
"result->string == %lu. This memory will not be free()'d.\n",
(u_long)result->len, (u_long)result->string);
*result = EMPTY_STRING;
if ( err_cnt == 20 )
log("Won't log the above warning no more.");
}
s_mem_crea_str(result, s_mem_crea_str(result,
mux->parse.unparsed.string + mux->parse.first_to_parse, mux->parse.unparsed.string + mux->parse.first_to_parse,
truncated_len); truncated_len);
...@@ -152,7 +156,7 @@ mux_parse_string(Mux *mux, ...@@ -152,7 +156,7 @@ mux_parse_string(Mux *mux,
/* Was the string too long? If so, skip the truncated data. */ /* Was the string too long? If so, skip the truncated data. */
mux_len = result->len; /* +++ shouldn't modify ->len */ mux_len = result->len; /* +++ shouldn't modify ->len */
truncated_len = min(maxlen+1, result->len); truncated_len = min(maxlen+1, mux_len);
if ( mux_len > truncated_len ) if ( mux_len > truncated_len )
{ {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment