- Error out on overlong challenges as well as too short ones, and check

  the length before attempting to malloc() the buffer.

- Don't try to free the buffer we attempted to allocate if malloc()
  fails.

- Correctly handle the case of recv() failing with EINTR.

- Correctly handle recv() returning 0.

diff --git a/lib/mr_connect.c b/lib/mr_connect.c
index e265675cf73ec225bd78e6a721d73b99d2dbcdf5..9dc690e1c98a31b9491b52ba61f8476072f9a809 100644 (file)
--- a/lib/mr_connect.c
+++ b/lib/mr_connect.c
@@ -365,11 +365,16 @@ int mr_cont_accept(int conn, char **buf, int *nread)
       getlong(lbuf, len);
       len += 4;
 
+      if (len < 58 || len > 1000)
+       {
+         closesocket(conn);
+         return 0;
+       }
+
       *buf = malloc(len);
-      if (!*buf || len < 58)
+      if (!*buf)
        {
          closesocket(conn);
-         free(*buf);
          return 0;
        }
       putlong(*buf, len);
@@ -381,18 +386,29 @@ int mr_cont_accept(int conn, char **buf, int *nread)
 
   more = recv(conn, *buf + *nread, len - *nread, 0);
 
-  if (more == -1 && errno != EINTR)
+  switch (more)
     {
-      closesocket(conn);
-      free(*buf);
-      return 0;
+    case 0:
+      /* If we read 0 bytes, the remote end has gone away. */
+      break;
+    case -1:
+      /* If errno is EINTR, return -1 and try again, otherwise we failed. */
+      if (errno == EINTR)
+       return -1;
+      else
+       {
+         closesocket(conn);
+         free(*buf);
+         return 0;
+       }
+      break;
+    default:
+      *nread += more;
+      if (*nread != len)
+       return -1;
+      break;
     }
 
-  *nread += more;
-
-  if (*nread != len)
-    return -1;
-
   if (memcmp(*buf + 4, challenge + 4, 34))
     {
       closesocket(conn);