Changeset 4790:c1073581d7c2 in roaraudio

Timestamp:

03/11/11 11:25:22 (13 years ago)

Author:

phi

Branch:

default

Phase:

public

Message:

added support for long (> sizeof(mes.data)-4) cookies, fixed memory use-after-free bug in roard

Files:

• include/libroar/memmgr.h (modified) (1 diff)
• libroar/auth.c (modified) (4 diffs)
• libroar/authfile.c (modified) (1 diff)
• libroar/libroar.c (modified) (1 diff)
• roard/req.c (modified) (1 diff)
• roard/roard.c (modified) (2 diffs)

include/libroar/memmgr.h

@@ -98 +98 @@
 #define ROAR_MLOCK _ROAR_MLOCK
 
+// aux functions:
+void * roar_mm_memdup(const void * s, size_t len);
+
 #endif
 

libroar/auth.c

@@ -133 +133 @@
  char                  * header = mes.data;
  int                     ret;
+ char                  * data = NULL;
 
  memset(&mes, 0, sizeof(struct roar_message)); // make valgrind happy!
@@ -139 +140 @@
  mes.datalen = 4 + authmes->len;
 
- if ( mes.datalen > sizeof(mes.data) )
-  return -1;
+ if ( mes.datalen > sizeof(mes.data) ) {
+  data = malloc(mes.datalen);
+  if ( data == NULL )
+   return -1;
+
+  header   = data;
+ }
 
  header[0] = authmes->type;
@@ -148 +154 @@
 
  if ( authmes->len ) {
-  memcpy(mes.data + 4, authmes->data, authmes->len);
- }
-
- if ( (ret = roar_req(con, &mes, NULL)) == -1 ) {
+  if ( data == NULL ) {
+   memcpy(mes.data + 4, authmes->data, authmes->len);
+  } else {
+   memcpy(data + 4, authmes->data, authmes->len);
+  }
+ }
+
+ if ( (ret = roar_req(con, &mes, &data)) == -1 ) {
   authmes->type = -1;
   return -1;
  }
 
+ if ( data != NULL ) {
+  header = data;
+ } else {
+  header = mes.data;
+ }
+
  if ( mes.cmd != ROAR_CMD_OK ) {
+  if ( data != NULL ) {
+   // we currently do not support long error frames.
+   free(data);
+   return -1;
+  }
+
   ret = -1;
   if ( roar_err_parsemsg(&mes, &error_frame) == -1 ) {
@@ -177 +199 @@
  authmes->reserved.c[0] = header[2];
  authmes->reserved.c[1] = header[3];
+
+ if ( data != NULL )
+  free(data);
 
  return ret;

libroar/authfile.c

@@ -166 +166 @@
  }
 
- ret->data = ret + sizeof(struct roar_authfile_key) + addrlen;
+ ret->data = (void*)ret + sizeof(struct roar_authfile_key) + addrlen;
 
  ret->len  = len;

libroar/libroar.c

@@ -86 +86 @@
 }
 
+void * roar_mm_memdup(const void * s, size_t len) {
+ void * ret = roar_mm_malloc(len);
+
+ if ( ret == NULL )
+  return NULL;
+
+ memcpy(ret, s, len);
+
+ return ret;
+}
+
 //ll

roard/req.c

@@ -115 +115 @@
   return -1;
 
- ROAR_INFO("req_on_auth(client=%i,...): authtype=%s(%i)", ROAR_DBG_INFO_VERBOSE,
-                           client, roar_autht2str(authmes.type), authmes.type);
+ ROAR_INFO("req_on_auth(client=%i,...): authtype=%s(%i), len=%llu bytes", ROAR_DBG_INFO_VERBOSE,
+                           client, roar_autht2str(authmes.type), authmes.type, (long long unsigned int)authmes.len);
 
  ret = auth_client_ckeck(cs, &authmes, &next);

roard/roard.c

@@ -1374 +1374 @@
  struct roar_authfile_key *  key = NULL;
  int af_type = ROAR_AUTHFILE_TYPE_AUTO;
+ void * keydata;
 
  if ( type == NULL ) {
@@ -1428 +1429 @@
     }
 
-    if ( auth_addkey_cookie(acclev, key->data, key->len) == -1 ) {
+    keydata = roar_mm_memdup(key->data, key->len);
+
+    if ( keydata == NULL ) {
+     ROAR_WARN("add_authfile(*): Can not allocate memory for key.");
+    } else if ( auth_addkey_cookie(acclev, keydata, key->len) == -1 ) {
      ROAR_WARN("add_authfile(*): Can not add key to internal key storage.");
     }