[Initng-svn] r3626 - initng/trunk/src
svn at initng.thinktux.net
svn at initng.thinktux.net
Sun Apr 2 12:35:49 CEST 2006
Author: enrico
Date: Sun Apr 2 12:35:48 2006
New Revision: 3626
Modified:
initng/trunk/src/initng_fd.c
Log:
initng_fd_process_read_input(): terminate read data with '\0'
When daemon outputs large amount of data, it may happen that
initng_fd_process_read_input() runs into the
| 204 if (old_content_offset + chars_read > 10000)
| 205 {
| 206 /* copy the string from 1000 chars, to first */
| 207 memmove(p->buffer, &p->buffer[1000], 9000 * sizeof(char));
| 208 /* rezise the buffer */
| 209 p->buffer = i_realloc(p->buffer, 9000 * sizeof(char));
| 210 p->buffer_allocated = 9000;
| 211 }
case. The memmove() there might copy a datablock not terminated by '\0' and
next initng_fd_process_read_input()
| 118 old_content_offset = strlen(p->buffer);
will read random data, return a bogus string-length and process dirty data
then.
This patch adds some error-checking for the i_realloc() too.
Modified: initng/trunk/src/initng_fd.c
==============================================================================
--- initng/trunk/src/initng_fd.c (original)
+++ initng/trunk/src/initng_fd.c Sun Apr 2 12:35:48 2006
@@ -203,11 +203,27 @@
/* if buffer reached 10000 chars */
if (old_content_offset + chars_read > 10000)
{
+ char *tmp;
+
/* copy the string from 1000 chars, to first */
memmove(p->buffer, &p->buffer[1000], 9000 * sizeof(char));
/* rezise the buffer */
- p->buffer = i_realloc(p->buffer, 9000 * sizeof(char));
- p->buffer_allocated = 9000;
+ tmp = i_realloc(p->buffer, 9001 * sizeof(char));
+
+ /* make sure realloc suceeded */
+ if (tmp)
+ {
+ p->buffer = tmp;
+ p->buffer_allocated = 9000;
+ p->buffer[9000] = '\0';
+ }
+ else
+ {
+ /* make the best for the current situation */
+ p->buffer[0] = '\0';
+ F_("realloc failed, possibly out of memory!\n");
+ return;
+ }
}
}
More information about the Initng-svn
mailing list