Browse files

THRIFT-1414 bufferoverflow in c_glib buffered transport/socket client

Patch: Christian Zimnick



git-svn-id: https://svn.apache.org/repos/asf/thrift/trunk@1399452 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information...
1 parent 9bb65ae commit 771ca3cdf187e108444ace60444e611b1cbe2222 @bufferoverflow bufferoverflow committed Oct 17, 2012
View
4 lib/c_glib/src/thrift/transport/thrift_buffered_transport.c
@@ -71,7 +71,7 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf,
ThriftBufferedTransport *t = THRIFT_BUFFERED_TRANSPORT (transport);
guint32 want = len;
guint32 got = 0;
- guchar tmpdata[t->r_buf_size];
+ guchar tmpdata[len];
guint32 have = t->r_buf->len;
// we shouldn't hit this unless the buffer doesn't have enough to read
@@ -101,7 +101,7 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf,
} else {
got += THRIFT_TRANSPORT_GET_CLASS (t->transport)->read (t->transport,
tmpdata,
- t->r_buf_size,
+ want,
error);
t->r_buf = g_byte_array_append (t->r_buf, tmpdata, got);
View
2 lib/c_glib/src/thrift/transport/thrift_socket.c
@@ -129,7 +129,7 @@ thrift_socket_read (ThriftTransport *transport, gpointer buf,
while (got < len)
{
- ret = recv (socket->sd, buf, len, 0);
+ ret = recv (socket->sd, buf+got, len-got, 0);
if (ret < 0)
{
g_set_error (error, THRIFT_TRANSPORT_ERROR,

0 comments on commit 771ca3c

Please sign in to comment.