mod_netconf: BUGFIX free unallocated memory buffer was repeatedly freed without test for NULL

commit: 00635974d69c3fecb2b1b744b47c6e605fa14d1a [log] [tgz]
author: Tomas Cejka <cejkat@cesnet.cz> Mon Jun 03 15:10:52 2013 +0200
committer: Tomas Cejka <cejkat@cesnet.cz> Mon Jun 03 15:10:52 2013 +0200
tree: 46cdbf6a945c7896c7a0751ca21dcc3f0a809b36
parent: 8a82dabf83b1394b1996a39cf64789d1594356d8 [diff]
diff --git a/src/mod_netconf.c b/src/mod_netconf.c
index 805a6a1..370390c 100644
--- a/src/mod_netconf.c
+++ b/src/mod_netconf.c

@@ -385,7 +385,7 @@
 {
 	struct nc_session *session = NULL;
 	struct session_with_mutex * locked_session;
-	nc_reply* reply;
+	nc_reply* reply = NULL;
 	int retval = EXIT_SUCCESS;
 	NC_MSG_TYPE msgt;
 	NC_REPLY_TYPE replyt;
@@ -738,8 +738,8 @@
 static int netconf_generic(server_rec* server, apr_hash_t* conns, const char* session_key, const char* content, char** data)
 {
 	struct nc_session *session = NULL;
-	nc_reply* reply;
-	nc_rpc* rpc;
+	nc_reply* reply = NULL;
+	nc_rpc* rpc = NULL;
 	int retval = EXIT_SUCCESS;
 	NC_MSG_TYPE msgt;
 	NC_REPLY_TYPE replyt;
@@ -838,7 +838,9 @@
 	ssize_t buffer_len;
 	struct pollfd fds;
 	int status, buffer_size, ret;
-	json_object *request, *reply, *capabilities;
+	json_object *request = NULL;
+	json_object *reply = NULL;
+	json_object *capabilities = NULL;
 	int operation;
 	int i, chunk_len, len = 0;
 	char* session_key, *data;
@@ -857,7 +859,8 @@
 	server_rec * server = ((struct pass_to_thread*)arg)->server;
 	int client = ((struct pass_to_thread*)arg)->client;
 
-	char * buffer, chunk_len_str[12], *chunked_msg;
+	char *buffer = NULL;
+	char chunk_len_str[12], *chunked_msg;
 	char c;
 
 	while (!isterminated) {
@@ -900,13 +903,17 @@
 		while (1) {
 			/* read chunk length */
 			if ((ret = recv (client, &c, 1, 0)) != 1 || c != '\n') {
-				free (buffer);
-				buffer = NULL;
+				if (buffer != NULL) {
+					free (buffer);
+					buffer = NULL;
+				}
 				break;
 			}
 			if ((ret = recv (client, &c, 1, 0)) != 1 || c != '#') {
-				free (buffer);
-				buffer = NULL;
+				if (buffer != NULL) {
+					free (buffer);
+					buffer = NULL;
+				}
 				break;
 			}
 			i=0;
@@ -915,29 +922,42 @@
 				if (i==0 && c == '#') {
 					if (recv (client, &c, 1, 0) != 1 || c != '\n') {
 						/* end but invalid */
-						free (buffer);
-						buffer = NULL;
+						if (buffer != NULL) {
+							free (buffer);
+							buffer = NULL;
+						}
 					}
 					/* end of message, double-loop break */
 					goto msg_complete;
 				}
 				chunk_len_str[i++] = c;
+				if (i==11) {
+					ap_log_error(APLOG_MARK, APLOG_ERR, 0, server, "Message is too long, buffer for length is not big enought!!!!");
+					break;
+				}
 			}
 			if (c != '\n') {
-				free (buffer);
-				buffer = NULL;
+				if (buffer != NULL) {
+					free (buffer);
+					buffer = NULL;
+				}
 				break;
 			}
+			chunk_len_str[i] = 0;
 			if ((chunk_len = atoi (chunk_len_str)) == 0) {
-				free (buffer);
-				buffer = NULL;
+				if (buffer != NULL) {
+					free (buffer);
+					buffer = NULL;
+				}
 				break;
 			}
 			buffer_size += chunk_len+1;
 			buffer = realloc (buffer, sizeof(char)*buffer_size);
 			if ((ret = recv (client, buffer+buffer_len, chunk_len, 0)) == -1 || ret != chunk_len) {
-				free (buffer);
-				buffer = NULL;
+				if (buffer != NULL) {
+					free (buffer);
+					buffer = NULL;
+				}
 				break;
 			}
 			buffer_len += ret;
@@ -945,7 +965,12 @@
 msg_complete:
 
 		if (buffer != NULL) {
-			request = json_tokener_parse(buffer);
+			enum json_tokener_error jerr;
+			request = json_tokener_parse_verbose(buffer, &jerr);
+			if (jerr != json_tokener_success) {
+				ap_log_error(APLOG_MARK, APLOG_ERR, 0, server, "JSON parsing error");
+				continue;
+			}
 			operation = json_object_get_int(json_object_object_get(request, "type"));
 
 			session_key = (char*) json_object_get_string(json_object_object_get(request, "session"));
@@ -1392,14 +1417,20 @@
 			if (reply != NULL) {
 				msgtext = json_object_to_json_string(reply);
 				if (asprintf (&chunked_msg, "\n#%d\n%s\n##\n", (int)strlen(msgtext), msgtext) == -1) {
-					free (buffer);
+					if (buffer != NULL) {
+						free(buffer);
+						buffer = NULL;
+					}
 					break;
 				}
 				send(client, chunked_msg, strlen(chunked_msg) + 1, 0);
 				json_object_put(reply);
-				reply = NULL;
-				free (chunked_msg);
-				free (buffer);
+				free(chunked_msg);
+				chunked_msg = NULL;
+				if (buffer != NULL) {
+					free(buffer);
+					buffer = NULL;
+				}
 			} else {
 				break;
 			}

diff --git a/src/notification-server.c b/src/notification-server.c
index 364baec..1f2f7f2 100644
--- a/src/notification-server.c
+++ b/src/notification-server.c

@@ -710,7 +710,7 @@
 				json_object_object_add(notif_json, "eventtime", json_object_new_string(t));
 				json_object_object_add(notif_json, "content", json_object_new_string(notif->content));
 
-				char *msgtext = json_object_to_json_string(notif_json);
+				const char *msgtext = json_object_to_json_string(notif_json);
 
 				n = sprintf((char *)p, "%s", msgtext);
 				m = libwebsocket_write(wsi, p, n, LWS_WRITE_TEXT);
commit	00635974d69c3fecb2b1b744b47c6e605fa14d1a	[log] [tgz]
author	Tomas Cejka <cejkat@cesnet.cz>	Mon Jun 03 15:10:52 2013 +0200
committer	Tomas Cejka <cejkat@cesnet.cz>	Mon Jun 03 15:10:52 2013 +0200
tree	46cdbf6a945c7896c7a0751ca21dcc3f0a809b36
parent	8a82dabf83b1394b1996a39cf64789d1594356d8 [diff]