diff options
| author | Simon McVittie <smcv@collabora.com> | 2017-11-06 19:09:51 +0000 |
|---|---|---|
| committer | Simon McVittie <smcv@collabora.com> | 2017-11-07 11:38:26 +0000 |
| commit | 0ea0e4b0fddd1109835b8b9f7a8319d59c8d9303 (patch) | |
| tree | c7e66c76d15fd516d22f137830a44167cbc04f96 /dbus/dbus-nonce.c | |
| parent | 96d878d90c79bf2b28790243e23f3f666c241142 (diff) | |
| download | dbus-0ea0e4b0fddd1109835b8b9f7a8319d59c8d9303.tar.gz | |
do_check_nonce: Don't free uninitialized memory on OOM
If _dbus_string_init() fails, it doesn't guarantee that the string
is initialized to anything in particular. Worse, if
_dbus_string_init (&buffer) fails, p would never have been initialized
at all, due to the use of the short-circuiting || operator.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103597
Diffstat (limited to 'dbus/dbus-nonce.c')
| -rw-r--r-- | dbus/dbus-nonce.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/dbus/dbus-nonce.c b/dbus/dbus-nonce.c index bc3286cc..49f87369 100644 --- a/dbus/dbus-nonce.c +++ b/dbus/dbus-nonce.c @@ -43,6 +43,20 @@ do_check_nonce (DBusSocket fd, const DBusString *nonce, DBusError *error) nleft = 16; + /* This is a trick to make it safe to call _dbus_string_free on these + * strings during error unwinding, even if allocating memory for them + * fails. A constant DBusString is considered to be valid to "free", + * even though there is nothing to free (of course the free operation + * is trivial, because it does not own its own buffer); but + * unlike a mutable DBusString, initializing a constant DBusString + * cannot fail. + * + * We must successfully re-initialize the strings to be mutable before + * writing to them, of course. + */ + _dbus_string_init_const (&buffer, ""); + _dbus_string_init_const (&p, ""); + if ( !_dbus_string_init (&buffer) || !_dbus_string_init (&p) ) { dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); |