Skip to content

Commit bec6cce

Browse files
committed
upnp_event_prepare(): check the return value of snprintf()
1 parent cd506a6 commit bec6cce

File tree

1 file changed

+26
-11
lines changed

1 file changed

+26
-11
lines changed

Diff for: miniupnpd/upnpevents.c

+26-11
Original file line numberDiff line numberDiff line change
@@ -443,19 +443,34 @@ static void upnp_event_prepare(struct upnp_event_notify * obj)
443443
l = 0;
444444
}
445445
obj->buffersize = 1024;
446-
obj->buffer = malloc(obj->buffersize);
447-
if(!obj->buffer) {
448-
syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
449-
if(xml) {
450-
free(xml);
446+
for (;;) {
447+
obj->buffer = malloc(obj->buffersize);
448+
if(!obj->buffer) {
449+
syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
450+
if(xml) {
451+
free(xml);
452+
}
453+
obj->state = EError;
454+
return;
451455
}
452-
obj->state = EError;
453-
return;
456+
obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
457+
obj->path, obj->addrstr, obj->portstr, l+2,
458+
obj->sub->uuid, obj->sub->seq,
459+
l, xml);
460+
if (obj->tosend < 0) {
461+
syslog(LOG_ERR, "%s: snprintf() failed", "upnp_event_prepare");
462+
if(xml) {
463+
free(xml);
464+
}
465+
obj->state = EError;
466+
return;
467+
} else if (obj->tosend < obj->buffersize) {
468+
break; /* the buffer was large enough */
469+
}
470+
/* Try again with a buffer big enough */
471+
free(obj->buffer);
472+
obj->buffersize = obj->tosend + 1; /* reserve space for the final 0 */
454473
}
455-
obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
456-
obj->path, obj->addrstr, obj->portstr, l+2,
457-
obj->sub->uuid, obj->sub->seq,
458-
l, xml);
459474
if(xml) {
460475
free(xml);
461476
xml = NULL;

0 commit comments

Comments
 (0)