From 8ed401124719b0a37fb6955c0173a32e8be84236 Mon Sep 17 00:00:00 2001 From: Con Kolivas Date: Mon, 25 Jan 2016 21:37:13 +1100 Subject: [PATCH] Fix heap overflow --- src/connector.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/connector.c b/src/connector.c index fd673011..e97d4740 100644 --- a/src/connector.c +++ b/src/connector.c @@ -461,34 +461,33 @@ static void parse_redirector_share(client_instance_t *client, const json_t *val) static void parse_client_msg(cdata_t *cdata, client_instance_t *client) { ckpool_t *ckp = cdata->ckp; - int buflen, ret, ofs; + int buflen, ret; char *msg, *eol; json_t *val; retry: - ofs = client->bufofs; - if (unlikely(ofs > MAX_MSGSIZE)) { + if (unlikely(client->bufofs > MAX_MSGSIZE)) { if (!client->remote) { LOGNOTICE("Client id %"PRId64" fd %d overloaded buffer without EOL, disconnecting", client->id, client->fd); invalidate_client(ckp, cdata, client); return; } - client->buf = realloc(client->buf, round_up_page(ofs + MAX_MSGSIZE + 1)); + client->buf = realloc(client->buf, round_up_page(client->bufofs + MAX_MSGSIZE + 1)); } /* This read call is non-blocking since the socket is set to O_NOBLOCK */ - ret = read(client->fd, client->buf + ofs, MAX_MSGSIZE); + ret = read(client->fd, client->buf + client->bufofs, MAX_MSGSIZE); if (ret < 1) { if (likely(errno == EAGAIN || errno == EWOULDBLOCK || !ret)) return; - LOGINFO("Client id %"PRId64" fd %d disconnected - recv fail with bufofs %d ret %d errno %d %s", - client->id, client->fd, ofs, ret, errno, ret && errno ? strerror(errno) : ""); + LOGINFO("Client id %"PRId64" fd %d disconnected - recv fail with bufofs %lu ret %d errno %d %s", + client->id, client->fd, client->bufofs, ret, errno, ret && errno ? strerror(errno) : ""); invalidate_client(ckp, cdata, client); return; } client->bufofs += ret; reparse: - eol = memchr(client->buf + ofs, '\n', client->bufofs); + eol = memchr(client->buf, '\n', client->bufofs); if (!eol) goto retry;