From 9f56cedf22ed4e2cf0bfdab38d4fff4c96e5e46d Mon Sep 17 00:00:00 2001 From: wesommer Date: Sun, 2 Aug 1987 21:49:15 +0000 Subject: [PATCH] Clean up error handling, memory handling. --- lib/mr_param.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/lib/mr_param.c b/lib/mr_param.c index 9a10870a..45bd66c9 100644 --- a/lib/mr_param.c +++ b/lib/mr_param.c @@ -6,9 +6,12 @@ * Copyright (C) 1987 by the Massachusetts Institute of Technology * * $Log$ - * Revision 1.1 1987-06-16 17:48:21 wesommer - * Initial revision + * Revision 1.2 1987-08-02 21:49:15 wesommer + * Clean up error handling, memory handling. * + * Revision 1.1 87/06/16 17:48:21 wesommer + * Initial revision + * * Revision 1.4 87/06/04 01:32:18 wesommer * Renamed gdb calls. * @@ -24,6 +27,8 @@ static char *rcsid_sms_param_c = "$Header$"; #endif lint +#include +#include #include "sms_private.h" /* @@ -43,6 +48,8 @@ sms_cont_send(op, hcon, arg) { op->result = OP_SUCCESS; free(arg->sms_flattened); + arg->sms_flattened = NULL; + return OP_COMPLETE; } @@ -159,6 +166,9 @@ sms_cont_recv(op, hcon, argp) fflush(stdout); /* Should validate that length is reasonable */ arg->sms_size = ntohl(arg->sms_size); + if (arg->sms_size > 65536) { + return OP_CANCELLED; + } arg->sms_flattened = malloc(arg->sms_size); arg->sms_state = S_DECODE_DATA; bcopy((caddr_t)&arg->sms_size, arg->sms_flattened, sizeof(long)); @@ -184,8 +194,13 @@ sms_cont_recv(op, hcon, argp) arg->sms_argl=(int *)malloc(arg->sms_argc *sizeof(int *)); for (i = 0; isms_argc; ++i) { - int nlen = ntohl(* (int *) cp); + u_short nlen = ntohl(* (int *) cp); cp += sizeof (long); + if (cp + nlen > arg->sms_flattened + arg->sms_size) { + free(arg->sms_flattened); + arg->sms_flattened = NULL; + return OP_CANCELLED; + } arg->sms_argv[i] = (char *)malloc(nlen); bcopy(cp, arg->sms_argv[i], nlen); arg->sms_argl[i]=nlen; -- 2.45.2