diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2021-07-15 11:01:20 -0700 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2021-11-12 14:00:31 -0800 |
commit | e79417ed7185b150a056d4eb3a1ab528b91d2fc0 (patch) | |
tree | 47c490359d7072258522d75e3bee5a2da8755bc3 /src/sdpd-server.c | |
parent | 44789fb8d94839d9c2b847d71faa6d649138b128 (diff) | |
download | bluez-e79417ed7185b150a056d4eb3a1ab528b91d2fc0.tar.gz |
sdpd: Fix leaking buffers stored in cstates cache
These buffer shall only be keep in cache for as long as they are
needed so this would cleanup any client cstates in the following
conditions:
- There is no cstate on the response
- No continuation can be found for cstate
- Different request opcode
- Respond with an error
- Client disconnect
Fixes: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
Diffstat (limited to 'src/sdpd-server.c')
-rw-r--r-- | src/sdpd-server.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/src/sdpd-server.c b/src/sdpd-server.c index 9f4b51dac..748cbeb61 100644 --- a/src/sdpd-server.c +++ b/src/sdpd-server.c @@ -146,16 +146,12 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d sk = g_io_channel_unix_get_fd(chan); - if (cond & (G_IO_HUP | G_IO_ERR)) { - sdp_svcdb_collect_all(sk); - return FALSE; - } + if (cond & (G_IO_HUP | G_IO_ERR)) + goto cleanup; len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK); - if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) { - sdp_svcdb_collect_all(sk); - return FALSE; - } + if (len < 0 || (unsigned int) len < sizeof(sdp_pdu_hdr_t)) + goto cleanup; size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr.plen); buf = malloc(size); @@ -168,14 +164,18 @@ static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer d * inside handle_request() in order to produce ErrorResponse. */ if (len <= 0) { - sdp_svcdb_collect_all(sk); free(buf); - return FALSE; + goto cleanup; } handle_request(sk, buf, len); return TRUE; + +cleanup: + sdp_svcdb_collect_all(sk); + sdp_cstate_cleanup(sk); + return FALSE; } static gboolean io_accept_event(GIOChannel *chan, GIOCondition cond, gpointer data) |