rpms / openslp

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7-alt
  2.   SOURCES
  3.   openslp-2.0.0-fortify-source-buffer-overflow.patch
Blob Blame History Raw 
diff -up openslp-2.0.0/slpd/slpd_predicate.c.orig openslp-2.0.0/slpd/slpd_predicate.c
--- openslp-2.0.0/slpd/slpd_predicate.c.orig	2012-12-11 00:31:53.000000000 +0100
+++ openslp-2.0.0/slpd/slpd_predicate.c	2015-01-14 13:17:45.115104003 +0100
@@ -1425,6 +1425,8 @@ void freePredicateParseTree(SLPDPredicat
          break;
       }
       pNextNode = pNode->next;
+      xfree(pNode->nodeBody.comparison.tag_str);
+      xfree(pNode->nodeBody.comparison.value_str);
       xfree(pNode);
       pNode = pNextNode;
    }
@@ -1643,26 +1645,28 @@ SLPDPredicateParseResult createPredicate
       rhs = val_start;
 
       /***** Create leaf node. *****/
-      *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode) + lhs_len + rhs_len);
+      *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode));
       if (!(*ppNode))
          return PREDICATE_PARSE_INTERNAL_ERROR;
 
+      (*ppNode)->nodeBody.comparison.tag_str = (char *)xmalloc((lhs_len+1) * sizeof(char));
+      if (!((*ppNode)->nodeBody.comparison.tag_str))
+         return PREDICATE_PARSE_INTERNAL_ERROR;
+
+      (*ppNode)->nodeBody.comparison.value_str = (char *)xmalloc((rhs_len+1) * sizeof(char));
+      if (!((*ppNode)->nodeBody.comparison.value_str))
+         return PREDICATE_PARSE_INTERNAL_ERROR;
+
       (*ppNode)->nodeType = op;
       (*ppNode)->next = (SLPDPredicateTreeNode *)0;
 
-      /* Finished with "operator" now - just use as temporary pointer to assist with copying the
-       * attribute name (lhs) and required value (rhs) into the node
-       */
-      operator = (*ppNode)->nodeBody.comparison.storage;
-      strncpy(operator, lhs, lhs_len);
-      operator[lhs_len] = '\0';
       (*ppNode)->nodeBody.comparison.tag_len = lhs_len;
-      (*ppNode)->nodeBody.comparison.tag_str = operator;
-      operator += lhs_len + 1;
-      strncpy(operator, rhs, rhs_len);
-      operator[rhs_len] = '\0';
+      strncpy((*ppNode)->nodeBody.comparison.tag_str, lhs, lhs_len);
+      (*ppNode)->nodeBody.comparison.tag_str[lhs_len] = '\0';
+
       (*ppNode)->nodeBody.comparison.value_len = rhs_len;
-      (*ppNode)->nodeBody.comparison.value_str = operator;
+      strncpy((*ppNode)->nodeBody.comparison.value_str, rhs, rhs_len);
+      (*ppNode)->nodeBody.comparison.value_str[rhs_len] = '\0';
 
       return PREDICATE_PARSE_OK;
    }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation