]> andersk Git - moira.git/blobdiff - lib/mr_param.c
andersk / moira.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
added UREG_HALF_ENROLLED; SMS->Moira
[moira.git] / lib / mr_param.c
diff --git a/lib/mr_param.c b/lib/mr_param.c
index 9a10870ab44d4935401f551276b7a136b7f6a839..b267382f60d2b161932e57969d69ec525a4611d7 100644 (file)
--- a/lib/mr_param.c
+++ b/lib/mr_param.c
@@ -4,26 +4,18 @@
  *     $Header$
  *
  *     Copyright (C) 1987 by the Massachusetts Institute of Technology
+ *     For copying and distribution information, please see the file
+ *     <mit-copyright.h>.
  *
- *     $Log$
- *     Revision 1.1  1987-06-16 17:48:21  wesommer
- *     Initial revision
- *
- * Revision 1.4  87/06/04  01:32:18  wesommer
- * Renamed gdb calls.
- * 
- * Revision 1.3  87/06/01  03:33:54  wesommer
- * Added destroy_reply.
- * 
- * Revision 1.2  87/05/31  22:03:37  wesommer
- * Fixed numerous bugs; still shaky.
- * 
  */
 
 #ifndef lint
 static char *rcsid_sms_param_c = "$Header$";
 #endif lint
 
+#include <mit-copyright.h>
+#include <sys/types.h>
+#include <netinet/in.h>
 #include "sms_private.h"
 
 /*
@@ -43,6 +35,8 @@ sms_cont_send(op, hcon, arg)
 {
     op->result = OP_SUCCESS;
     free(arg->sms_flattened);
+    arg->sms_flattened = NULL;
+    
     return OP_COMPLETE;
 }
 
@@ -107,7 +101,7 @@ sms_start_send(op, hcon, arg)
      */
 
     ((long *)buf)[0] = htonl(sms_size);
-    ((long *)buf)[1] = htonl((u_int)SMS_VERSION_1);
+    ((long *)buf)[1] = htonl(arg->sms_version_no);
     ((long *)buf)[2] = htonl(arg->sms_procno);
     ((long *)buf)[3] = htonl(arg->sms_argc);
 
@@ -159,6 +153,9 @@ sms_cont_recv(op, hcon, argp)
            fflush(stdout);
            /* Should validate that length is reasonable */
            arg->sms_size = ntohl(arg->sms_size);
+           if (arg->sms_size > 65536) {
+               return OP_CANCELLED;
+           }
            arg->sms_flattened = malloc(arg->sms_size);
            arg->sms_state = S_DECODE_DATA;
            bcopy((caddr_t)&arg->sms_size, arg->sms_flattened, sizeof(long));
@@ -175,7 +172,9 @@ sms_cont_recv(op, hcon, argp)
            ip = (int *) cp;
            /* we already got the overall length.. */
            for(i=1; i <4; i++) ip[i] = ntohl(ip[i]);
-           if (ip[1] != SMS_VERSION_1)
+           arg->sms_version_no = ip[1];
+           if (arg->sms_version_no != SMS_VERSION_1 &&
+               arg->sms_version_no != SMS_VERSION_2)
                arg->sms_status = SMS_VERSION_MISMATCH;
            else arg->sms_status = ip[2];
            arg->sms_argc = ip[3];
@@ -184,8 +183,13 @@ sms_cont_recv(op, hcon, argp)
            arg->sms_argl=(int *)malloc(arg->sms_argc *sizeof(int *));
                        
            for (i = 0; i<arg->sms_argc; ++i) {
-               int nlen = ntohl(* (int *) cp);
+               u_short nlen = ntohl(* (int *) cp);
                cp += sizeof (long);
+               if (cp + nlen > arg->sms_flattened + arg->sms_size) {
+                   free(arg->sms_flattened);
+                   arg->sms_flattened = NULL;
+                   return OP_CANCELLED;
+               }                   
                arg->sms_argv[i] = (char *)malloc(nlen);
                bcopy(cp, arg->sms_argv[i], nlen);
                arg->sms_argl[i]=nlen;
Moira, the Athena Service Management system
This page took 0.03578 seconds and 4 git commands to generate.