From e6526455e1108f80e0fb2a420af8de386739be62 Mon Sep 17 00:00:00 2001 From: Kelvin Chua Date: Sat, 27 Aug 2016 19:14:40 +0000 Subject: [PATCH] pike: fixed rpc array - added array structure when returning multiple addresses instead of concatenated strings - fixed buffer overflow on incorrect buffer size allocation --- modules/pike/pike_rpc.c | 56 ++++++++--------------------------------- modules/pike/pike_top.c | 1 - modules/pike/pike_top.h | 2 ++ 3 files changed, 13 insertions(+), 46 deletions(-) diff --git a/modules/pike/pike_rpc.c b/modules/pike/pike_rpc.c index b8cc1f470ec..ef2d171ceda 100644 --- a/modules/pike/pike_rpc.c +++ b/modules/pike/pike_rpc.c @@ -101,42 +101,15 @@ static void collect_data(int options) } } -/* do not use static buffer with this function */ -static const char *concat_err = "ERROR while concatenating string"; -static char *concat(char *buff, size_t buffsize, const char *first, int second) -{ - int rv; - size_t size; - - while ( (rv = snprintf(buff, buffsize, "%s%d", first, second)) >= buffsize ) { - size = rv > 128 ? rv : 128; - buff = (char *)realloc(buff, size); - if ( buff == 0 ) - return (char*)concat_err; - buffsize = size; - DBG("pike:rpc:concat: new buffer size for %s: %d", first, - (int)buffsize); - } - return buff; -} - static void pike_top(rpc_t *rpc, void *c) { int i; void *handle; + void *list; + void *item; struct TopListItem_t *top_list_root; struct TopListItem_t *ti = 0; - char addr_buff[40]; - char *ip_addr = 0; - char *leaf_hits_prev = 0; - char *leaf_hits_curr = 0; - char *expires = 0; - char *status = 0; - size_t ip_addr_size = 0; - size_t leaf_hits_prev_size = 0; - size_t leaf_hits_curr_size = 0; - size_t expires_size = 0; - size_t status_size = 0; + char addr_buff[PIKE_BUFF_SIZE*sizeof(char)]; char *stropts; int options = 0; @@ -170,7 +143,7 @@ static void pike_top(rpc_t *rpc, void *c) DBG("pike_top: top_list_root = %p", top_list_root); rpc->add(c, "{", &handle); - rpc->struct_add(handle, "d", "max_hits", get_max_hits()); + rpc->struct_add(handle, "d[", "max_hits", get_max_hits(), "list", &list); i = 0; // it is passed as number of rows if ( top_list_root == 0 ) { DBG("pike_top: no data"); @@ -181,24 +154,17 @@ static void pike_top(rpc_t *rpc, void *c) DBG("pike:top: result[%d]: %s leaf_hits[%d,%d] hits[%d,%d] expires: %d status: 0x%02x", i, addr_buff, ti->leaf_hits[0], ti->leaf_hits[1], ti->hits[0], ti->hits[1], ti->expires, ti->status); - rpc->struct_add(handle, "sddds", - concat(ip_addr, ip_addr_size, "ip_addr", i), addr_buff, - concat(leaf_hits_prev, leaf_hits_prev_size, "leaf_hits_prev", i), ti->leaf_hits[0], - concat(leaf_hits_curr, leaf_hits_curr_size, "leaf_hits_curr", i), ti->leaf_hits[1], - concat(expires, expires_size, "expires", i), ti->expires, - concat(status, status_size, "status", i), node_status_array[ti->status]); + rpc->array_add(list, "{", &item); + rpc->struct_add(item, "sddds", + "ip_addr", addr_buff, + "leaf_hits_prev", ti->leaf_hits[0], + "leaf_hits_curr", ti->leaf_hits[1], + "expires", ti->expires, + "status", node_status_array[ti->status]); } } rpc->struct_add(handle, "d", "number_of_rows", i); - /* free buffers */ - free(ip_addr); - free(leaf_hits_prev); - free(leaf_hits_curr); - free(expires); - free(status); pike_top_list_clear(); - - rpc->send(c); } /* ----- exported data structure with methods ----- */ diff --git a/modules/pike/pike_top.c b/modules/pike/pike_top.c index fbf53675784..e187a0b91e6 100644 --- a/modules/pike/pike_top.c +++ b/modules/pike/pike_top.c @@ -33,7 +33,6 @@ static struct TopListItem_t *top_list_root = 0; static struct TopListItem_t *top_list_iter = 0; -#define PIKE_BUFF_SIZE 128 static char buff[PIKE_BUFF_SIZE]; struct TopListItem_t *pike_top_get_root() { return top_list_root; } diff --git a/modules/pike/pike_top.h b/modules/pike/pike_top.h index 805a8257c29..74bb8e30a3e 100644 --- a/modules/pike/pike_top.h +++ b/modules/pike/pike_top.h @@ -24,6 +24,8 @@ #include "ip_tree.h" #include "../../ip_addr.h" +#define PIKE_BUFF_SIZE 128 + struct TopListItem_t { int addr_len; unsigned char ip_addr[45]; /*!< Make room for IPv6 */