From f609a83e58eccae409a5966a002edba389bbc372 Mon Sep 17 00:00:00 2001 From: Daniel-Constantin Mierla Date: Wed, 2 Nov 2016 23:37:43 +0100 Subject: [PATCH] mi_rpc: init structures to avoid access to invalid content in case of errors --- modules/mi_rpc/mi_rpc_mod.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/modules/mi_rpc/mi_rpc_mod.c b/modules/mi_rpc/mi_rpc_mod.c index 32d444fe280..718aab865ba 100644 --- a/modules/mi_rpc/mi_rpc_mod.c +++ b/modules/mi_rpc/mi_rpc_mod.c @@ -496,25 +496,28 @@ static struct mi_root* mi_run_rpc(struct mi_root* cmd_tree, void* param) struct binrpc_handle rpc_handle; struct binrpc_response_handle resp_handle; int i; - + str *fn; struct mi_node *node; char *command = NULL; int param_count = 0; char **parameters = NULL; struct mi_root* result; - + int resp_type; int resp_code; char *resp; - /* response will be malloced by binrpc_response_to_text. + /* response will be malloced by binrpc_response_to_text. We do not free it. It must remain after this call. It will be reused by subsequent calls */ static unsigned char *response = NULL; static int resp_len = 0; - - if (binrpc_open_connection_url(&rpc_handle, rpc_url) != 0) + + memset(&rpc_handle, 0, sizeof(struct binrpc_handle)); + memset(&resp_handle, 0, sizeof(struct binrpc_response_handle)); + + if (binrpc_open_connection_url(&rpc_handle, rpc_url) != 0) { LM_ERR( "Open connect to %s failed\n", rpc_url); result = init_mi_tree( 500, (char *)CONNECT_FAILED, strlen(CONNECT_FAILED) ); @@ -527,12 +530,12 @@ static struct mi_root* mi_run_rpc(struct mi_root* cmd_tree, void* param) return( init_mi_tree( 400, MI_MISSING_PARM_S, MI_MISSING_PARM_LEN )); fn = &node->value; - + /* find_rpc_exports needs 0 terminated strings */ command = pkg_malloc(fn->len+1); memcpy(command, fn->s, fn->len); command[fn->len] = '\0'; - + /* Count the parameters. */ node = node->next; while (node) { @@ -564,9 +567,9 @@ static struct mi_root* mi_run_rpc(struct mi_root* cmd_tree, void* param) result = init_mi_tree( 500, (char *)FAILED, strlen(FAILED) ); goto end; } - + resp_type = binrpc_get_response_type(&resp_handle); - + /* If we already have a buffer make it NULL terminated to discard any previous content */ if (resp_len > 0) response[0]='\0'; @@ -582,12 +585,12 @@ static struct mi_root* mi_run_rpc(struct mi_root* cmd_tree, void* param) /* Some functions don't give a text answer; use a default */ result = init_mi_tree( 200, MI_OK_S, MI_OK_LEN ); break; - + case 1: /* Valid failure */ binrpc_parse_error_response(&resp_handle, &resp_code, &resp); if (resp_len < strlen(resp) + 1) - { + { if (resp_len==0) response = malloc(strlen(resp) + 1); else @@ -601,7 +604,7 @@ static struct mi_root* mi_run_rpc(struct mi_root* cmd_tree, void* param) /* Some functions don't give a text answer; use a default */ result = init_mi_tree( resp_code, (char *)FAILED, strlen(FAILED) ); break; - + default: result = init_mi_tree( 500, (char *)FAILED, strlen(FAILED) ); goto end; @@ -610,7 +613,7 @@ static struct mi_root* mi_run_rpc(struct mi_root* cmd_tree, void* param) end: if (param_count > 0) { - for (i=0; i