Changeset 4790:c1073581d7c2 in roaraudio for libroar/auth.c

Timestamp:

03/11/11 11:25:22 (13 years ago)

Author:

phi

Branch:

default

Phase:

public

Message:

added support for long (> sizeof(mes.data)-4) cookies, fixed memory use-after-free bug in roard

File:

• libroar/auth.c (modified) (4 diffs)

libroar/auth.c

@@ -133 +133 @@
  char                  * header = mes.data;
  int                     ret;
+ char                  * data = NULL;
 
  memset(&mes, 0, sizeof(struct roar_message)); // make valgrind happy!
@@ -139 +140 @@
  mes.datalen = 4 + authmes->len;
 
- if ( mes.datalen > sizeof(mes.data) )
-  return -1;
+ if ( mes.datalen > sizeof(mes.data) ) {
+  data = malloc(mes.datalen);
+  if ( data == NULL )
+   return -1;
+
+  header   = data;
+ }
 
  header[0] = authmes->type;
@@ -148 +154 @@
 
  if ( authmes->len ) {
-  memcpy(mes.data + 4, authmes->data, authmes->len);
- }
-
- if ( (ret = roar_req(con, &mes, NULL)) == -1 ) {
+  if ( data == NULL ) {
+   memcpy(mes.data + 4, authmes->data, authmes->len);
+  } else {
+   memcpy(data + 4, authmes->data, authmes->len);
+  }
+ }
+
+ if ( (ret = roar_req(con, &mes, &data)) == -1 ) {
   authmes->type = -1;
   return -1;
  }
 
+ if ( data != NULL ) {
+  header = data;
+ } else {
+  header = mes.data;
+ }
+
  if ( mes.cmd != ROAR_CMD_OK ) {
+  if ( data != NULL ) {
+   // we currently do not support long error frames.
+   free(data);
+   return -1;
+  }
+
   ret = -1;
   if ( roar_err_parsemsg(&mes, &error_frame) == -1 ) {
@@ -177 +199 @@
  authmes->reserved.c[0] = header[2];
  authmes->reserved.c[1] = header[3];
+
+ if ( data != NULL )
+  free(data);
 
  return ret;