Commit 758036a7 authored by Pekka Pessi's avatar Pekka Pessi

msg: fixed possible leak in msg_params_d() with more than 16 params

Ignore-this: a45ef326def7b1bcd14de4850f3c24ab

Coverity issue.

darcs-hash:20090513155041-db55f-e35461a33ec6f27af204f7c1a1f7dfdbaf7f7de0.gz
parent bedc5052
......@@ -415,12 +415,14 @@ issize_t msg_avlist_d(su_home_t *home,
if (n == N) {
/* Reallocate params */
char **nparams = su_alloc(home,
(N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
char const **nparams = su_realloc(home, params != stack ? params : NULL,
(N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
if (!nparams) {
goto error;
}
params = memcpy(nparams, params, n * sizeof(*params));
if (params == stack)
memcpy(nparams, stack, n * sizeof(*params));
params = nparams;
}
params[n++] = p;
......@@ -441,12 +443,14 @@ issize_t msg_avlist_d(su_home_t *home,
}
else if (n == N) {
/* Reallocate params */
char **nparams = su_alloc(home,
(N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
char const **nparams = su_realloc(home, params != stack ? params : NULL,
(N = MSG_PARAMS_NUM(N + 1)) * sizeof(*params));
if (!nparams) {
goto error;
}
params = memcpy(nparams, params, n * sizeof(*params));
if (params == stack)
memcpy(nparams, stack, n * sizeof(*params));
params = nparams;
}
params[n] = NULL;
......
......@@ -285,6 +285,24 @@ int test_header_parsing(void)
su_free(home, (void *)p), p = NULL;
}
master = ";0";
for (i = 1; i < 256; i++) {
master = su_sprintf(home, "%s; %u", master, i); TEST_1(master);
list = end = su_strdup(home, master);
TEST_1(msg_params_d(NULL, &end, &p) >= 0);
TEST_S(end, "");
TEST_1(p);
for (j = 0; j <= i; j++) {
char number[10];
snprintf(number, sizeof number, "%u", j);
TEST_S(p[j], number);
}
TEST_1(p[i + 1] == NULL);
su_free(home, list);
su_free(NULL, (void *)p), p = NULL;
}
su_home_deinit(home);
}
......@@ -722,6 +740,8 @@ int test_msg_parsing(void)
TEST(msg_serialize(msg, (msg_pub_t *)tst), 0);
}
msg_destroy(msg);
/* Bug #2429 */
orig = read_msg("GET a-life HTTP/1.1" CRLF
"Foo: bar" CRLF
......@@ -734,6 +754,7 @@ int test_msg_parsing(void)
TEST_1(otst);
msg = msg_copy(orig);
msg_destroy(orig);
tst = msg_test_public(msg);
TEST_1(tst);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment