From d471234733de299c88f1036ba17a2406b8ae7a89 Mon Sep 17 00:00:00 2001 From: Dusan Klinec Date: Sun, 6 Dec 2015 09:42:17 +0100 Subject: [PATCH] fixing coverity found defects - copying into fixed size buffer without check, db_http --- modules/db_http/http_dbase.c | 76 ++++++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 26 deletions(-) diff --git a/modules/db_http/http_dbase.c b/modules/db_http/http_dbase.c index 16ec5263476..f84f08efb3b 100644 --- a/modules/db_http/http_dbase.c +++ b/modules/db_http/http_dbase.c @@ -976,20 +976,20 @@ str url_encode(str s) db_con_t* db_http_init(const str* url) { - +#define DB_HTTP_BUFF_SIZE 1024 char* path; - char port [20]; - char user_pass[1024]; - char modified_url[1024]; + char user_pass[DB_HTTP_BUFF_SIZE]; + char modified_url[DB_HTTP_BUFF_SIZE]; str tmp; + int off, ret; - db_con_t * ans; - http_conn_t * curl; + db_con_t * ans = NULL; + http_conn_t * curl = NULL; int i; struct db_id * id; - memset(modified_url,0,1024); + memset(modified_url,0,DB_HTTP_BUFF_SIZE); memcpy(modified_url,url->s,url->len); strcat(modified_url,"/x"); @@ -999,7 +999,7 @@ db_con_t* db_http_init(const str* url) user_pass[0] = 0; - path = (char*)pkg_malloc(1024); + path = (char*)pkg_malloc(DB_HTTP_BUFF_SIZE); if( path == NULL ) { @@ -1007,13 +1007,14 @@ db_con_t* db_http_init(const str* url) return NULL; } - memset(path,0,1024); + memset(path,0,DB_HTTP_BUFF_SIZE); id = new_db_id( &tmp ); if( id == NULL) { + pkg_free(path); LM_ERR("Incorrect db_url\n"); return NULL; } @@ -1022,9 +1023,8 @@ db_con_t* db_http_init(const str* url) if( id->username && id->password) { - strcat(user_pass,id->username); - strcat(user_pass,":"); - strcat(user_pass,id->password); + ret = snprintf(user_pass, DB_HTTP_BUFF_SIZE, "%s:%s", id->username, id->password); + if (ret < 0 || ret >= DB_HTTP_BUFF_SIZE) goto error; } @@ -1033,6 +1033,7 @@ db_con_t* db_http_init(const str* url) if( curl == NULL ) { + pkg_free(path); LM_ERR("Out of memory\n"); return NULL; } @@ -1050,26 +1051,37 @@ db_con_t* db_http_init(const str* url) curl_easy_setopt(curl->handle,CURLOPT_TIMEOUT_MS,db_http_timeout); #endif - strcat(path,"http"); - if ( use_ssl ) - strcat(path,"s"); - strcat(path,"://"); + ret = snprintf(path, DB_HTTP_BUFF_SIZE, "http"); + if (ret < 0 || ret >= DB_HTTP_BUFF_SIZE) goto error; + off = ret; + if (use_ssl) { + ret = snprintf(path + off, DB_HTTP_BUFF_SIZE - off, "s"); + if (ret < 0 || ret >= (DB_HTTP_BUFF_SIZE - off)) goto error; + off += ret; + } - strcat(path,id->host); - if( id->port ) - { - strcat(path,":"); - sprintf(port,"%d",id->port); - strcat(path,port); + ret = snprintf(path + off, DB_HTTP_BUFF_SIZE - off, "://%s", id->host); + if (ret < 0 || ret >= (DB_HTTP_BUFF_SIZE - off)) goto error; + off += ret; + + if (id->port) { + ret = snprintf(path + off, DB_HTTP_BUFF_SIZE - off, ":%d", id->port); + if (ret < 0 || ret >= (DB_HTTP_BUFF_SIZE - off)) goto error; + off += ret; } - strcat(path,"/"); + + ret = snprintf(path + off, DB_HTTP_BUFF_SIZE - off, "/"); + if (ret < 0 || ret >= (DB_HTTP_BUFF_SIZE - off)) goto error; + off += ret; if( strlen(id->database) > 2 ) { id->database[strlen(id->database)-2] = 0; - strcat(path,id->database); - strcat(path,"/"); + + ret = snprintf(path + off, DB_HTTP_BUFF_SIZE - off, "%s/", id->database); + if (ret < 0 || ret >= (DB_HTTP_BUFF_SIZE - off)) goto error; + off += ret; } curl->start.s = path; @@ -1080,6 +1092,10 @@ db_con_t* db_http_init(const str* url) if( ans == NULL ) { + pkg_free(path); + curl_easy_cleanup(curl->handle); + pkg_free(curl); + LM_ERR("Out of memory\n"); return NULL; } @@ -1101,7 +1117,15 @@ db_con_t* db_http_init(const str* url) next_state[ ESC ][ (int) quote_delim ] = IN; return ans; - +error: + if (path) + pkg_free(path); + if (curl) { + curl_easy_cleanup(curl->handle); + pkg_free(curl); + } + LM_CRIT("Initialization error\n"); + return NULL; }